Affordable & Wildcard-supported Alternative to Letsencrypt SSL Cert

Lamia

Lamia

We can no longer automate Letsencrypt SSL via DNS owing to change of provider. And webroot is no option.

Renewing a cert every three month is no fun, particularly, when a charity Org. has HAproxy, webservers and other plethora of services running in separate jails.

We had used Comodo Multi-domain several years ago Their SSL certs do not come cheap. A free long expiry cert with no string attached will be ideal; we can hardly afford a commercial one. But at this time, we might pay a token for a reliable one.

We likewise want something that can serve multiple purposes - for smtp, xmpp and so on.
 
I'm in the same situation, and every 3 months, I spend 30 minutes renewing my SSL certs using LetsEncrypt, and manually adding/removing TXT records at my DNS server.

Suggestion: If you look at the documentation for certbot, there are lots of plugins for various DNS providers. Perhaps one of those plugins might work for yours?
 
ralphbsz said:
Suggestion: If you look at the documentation for certbot, there are lots of plugins for various DNS providers. Perhaps one of those plugins might work for yours?
Click to expand...
It is more than the plugin. Apparently, the CDN now has an API for auto-renew. It must have been developed by a third-party given that they outrightly said they do not endorse it.

The problem is with the layers of requirements to get auto-renew to work and the amount of time spent on troubleshooting. Given that (1) HAproxy in one jail requires the SSL cert in another jail i.e. the originating webserver using the SSL, (2) COMMON-NAME invalid error (certbot-issued cert from a jail suprisingly pointing at host name, another certbot-issued cert), and now (3) EXPIRED cert seen by clients yet we renewed and have valid certs, we cannot buy try a commercial cert that would have addressed these problems from a centralised viewpoint. At least, fixing it one means we don't have to come back in three months to do the same.
 
Lamia said:
We had used Comodo Multi-domain several years ago Their SSL certs do not come cheap. A free long expiry cert with no string attached will be ideal; we can hardly afford a commercial one. But at this time, we might pay a token for a reliable one.
Click to expand...
didn't COMODO come under a bunch of fire some years ago or am I thinking of someone else
 
Lamia said:
Renewing a cert every three month is no fun, particularly, when a charity Org. has HAproxy, webservers and other plethora of services running in separate jails.
Click to expand...
Is this perhaps a useful solution for you?

forums.FreeBSD.org

FreeBSD and SSL

I have used certbot for many years and have never found a good configuration that I like that does auto updates. I am using wildcard domains with command certbot certonly --manual -d domain.com -d '*.domain.com' so the normal automatic update can not be used unless you use an additional script...
forums.FreeBSD.org forums.FreeBSD.org
 
Thanks SirDice . I saw it few days.ago. I have a similar setup. We had luck with auto-renew in the last months.

Hopefully, the certbot PKG version does not changed on the server soon. We had to disable DNSSEC just yesterday for a new DNS manager in order to get their API to work. These problems can be minimised with long-term SSL certs. We see how things go.
 
Lamia said:
We can no longer automate Letsencrypt SSL via DNS owing to change of provider. And webroot is no option.

Renewing a cert every three month is no fun, particularly, when a charity Org. has HAproxy, webservers and other plethora of services running in separate jails.

We had used Comodo Multi-domain several years ago Their SSL certs do not come cheap. A free long expiry cert with no string attached will be ideal; we can hardly afford a commercial one. But at this time, we might pay a token for a reliable one.

We likewise want something that can serve multiple purposes - for smtp, xmpp and so on.
Click to expand...
ssl2buy.com certs serve multiple purposes as they provide unlimited server licenses. Also, the Comodo multi-domain cost will be $33/year if you buy for 5 years.
 
Albeit this being an old thread:

There's always the option of using a challenge-alias domain which is delegated via a NS record to a DNS-server/provider that offers an API. Your zone then only needs a CNAME record to that challenge-alias zone.
The provider with whom we register our domains also has no DNS API, so I'm using "acme.ourdomain.tld" as a challenge-alias and have a NS record for that subdomain in place, pointing to bunnynet nameservers, where I only manage that zone and can use their API with acme.sh. The "ourdomain.tld" zone also has an "_acme_challenge.ourdomain.tld. CNAME _acme-challenge.acme.ourdomain.tld." record, which will redirect the acme server during validation.

On the client side e.g. with acme.sh you only have to specify --challenge-alias acme.ourdomain.tld and that's it; all the magic happens at DNS level and it 'just works'™ and you don't have to grant API access on your main zone to a bunch of certbots or other scripts or services...


edit:
here's a more detailed description of how it works:
github.com

DNS alias mode

A pure Unix shell script implementing ACME client protocol - acmesh-official/acme.sh
github.com github.com
 
You must log in or register to reply here.
Back
Top