Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
pibaker 2 days ago

What are the viable alternatives to LE? And in case none exists, what does it take to build one?

Requirements: free, available to everyone, automation friendly, issues certificates that are actually considered trustworthy by other parties.

treesknees 2 days ago | parent | next [-]

ZeroSSL – free 90-day certs via ACME, also has a web UI for cert management

Google Trust Services – free ACME certs, requires a Google account for registration

SSL.com Free DV SSL – offers free 90-day certs through ACME

polpo 2 days ago | parent | next [-]

I use acme.sh for certs on my personal server and was a little surprised when it started using ZeroSSL by default. Despite being more "corporate" I decided to roll with it and it's worked just fine.

curben 2 days ago | parent [-]

acme.sh is maintained by ZeroSSL. https://github.com/acmesh-official/acme.sh#2%EF%B8%8F%E2%83%...

a day ago | parent | prev [-]
[deleted]
JumpCrisscross 2 days ago | parent | prev | next [-]

Have the EU or Canada pushed to launch an analog of their own?

It seems a bit silly that a service that could be forced by EO to revoke foreign certificates is the backbone of so much of the internet.

dlcarrier 2 days ago | parent | prev | next [-]

This video explores a little on how certificate authorities were given their authority and a lot on how it can fail: https://www.youtube.com/watch?v=M1si1y5lvkk

It's a bit mathy, but if you can make it through that, I highly recommend watching the whole video, especially if you like dad jokes.

evbogue 2 days ago | parent | prev | next [-]

Like peers could sign sites?

ksimukka 2 days ago | parent | prev | next [-]

[dead]

otabdeveloper4 2 days ago | parent | prev [-]

> What are the viable alternatives to LE?

None. Big tech intentionally made Let's Encrypt a single point of giant failure.

> And in case none exists, what does it take to build one?

A new Internet and Web standards stack. The whole problem is self-imposed -- we could have published self-signed Ed25519 keys on the DNS instead, and the result would be more secure than whatever it is we have now.

icedchai 2 days ago | parent [-]

Do you remember the early days of SSL certificates? It took an act of god just to get a certificate: verification rituals like faxing corporate paper work, phone calls, manually reissuing certs because someone forgot the "www", forgotten renewals...

Let's Encrypt is incredible.