Best CA for SSL Certificates
-
I normally go through GoDaddy but is there a better option?
-
-
I have to say I used LetsEncrypt for my last SSL project.
Holy cow it is awesome. And, of course, free!
-
Mine are through Let's Encrypt as well.
-
I use Let's Encrypt for everything except Exchange. But that is only because the Windows ports of the stuff are a bit lacking. Because, Windows.
-
@JaredBusch said in Best CA for SSL Certificates:
I use Let's Encrypt for everything except Exchange. But that is only because the Windows ports of the stuff are a bit lacking. Because, Windows.
That was my next question. You're good!
-
I read a thread on the subject this morning in fact.
https://community.letsencrypt.org/t/ssl-cert-for-exchange-2013/1364
The most recent poster int heat thread was saying that he used that process to get the cert but now has issues with the renew.
There are multiple threads on their community about Windows clients.
-
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
-
@Grey said in Best CA for SSL Certificates:
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
You just use a script and automate it so you never have to deal with it at all.
-
I tried LE for a windows server just last week. Tons of problems, like relative path for wwwdata not working(got around this by using full path of wwwdata), not creating scheduled task for renew, never exiting without errors.
-
@scottalanmiller said in Best CA for SSL Certificates:
@Grey said in Best CA for SSL Certificates:
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
You just use a script and automate it so you never have to deal with it at all.
Right. Once you have a script set to renew every day or two, you will never worry about it. By default
certbot renewcan be run as often as you want. It checks if the local cert is able to be renewed and exits if not. Does not even go out to the web.If the script fails and does not auto renew, then you will get an email about 3 weeks before expiration.
-
@momurda said in Best CA for SSL Certificates:
I tried LE for a windows server just last week. Tons of problems, like relative path for wwwdata not working(got around this by using full path of wwwdata), not creating scheduled task for renew, never exiting without errors.
Yeah, Windows just is not there yet. Someone will get a solid application wrote eventually.
-
@JaredBusch said in Best CA for SSL Certificates:
@scottalanmiller said in Best CA for SSL Certificates:
@Grey said in Best CA for SSL Certificates:
The problem with LE is that all of their certs last 3 months. They force you to renew via automation, which can be great for security, and could increase your administrative load.
You just use a script and automate it so you never have to deal with it at all.
Right. Once you have a script set to renew every day or two, you will never worry about it. By default
certbot renewcan be run as often as you want. It checks if the local cert is able to be renewed and exits if not. Does not even go out to the web.If the script fails and does not auto renew, then you will get an email about 3 weeks before expiration.
[root@nginxproxy ~]# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/daerma.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/jaredbusch.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for jaredbusch.com tls-sni-01 challenge for www.jaredbusch.com Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/jaredbusch.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping. The following certs are not due for renewal yet: /etc/letsencrypt/live/daerma.com/fullchain.pem (skipped) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/jaredbusch.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)Note, that failed, because I need to stop nginx first. My system was setup with the standalone parameter because i do not want cerbot changing conf files for me. So my renew needs to stop nginx also.
There are pre and post hooks you can add to the certbot command to handle that.
certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -
Current certs are from DNSimple. Will consider Let's Encrypt in the future.
-
@EddieJennings said in Best CA for SSL Certificates:
Current certs are from DNSimple. Will consider Let's Encrypt in the future.
Very worth it. Pretty much everyone is switching now.
-
I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...
-
@EddieJennings said in Best CA for SSL Certificates:
I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...
What is the deal with people thinking they need a wildcard cert when using Let's Encrypt? You can add as many subdomains onto the cert they create for you as you like, no need for a wildcard if you're going to use Let's Encrypt!
-
@travisdh1 said in Best CA for SSL Certificates:
@EddieJennings said in Best CA for SSL Certificates:
I did look at it once before, but I can't remember why we didn't use it (I think it had to do with needing a wildcard cert). But in the future ...
What is the deal with people thinking they need a wildcard cert when using Let's Encrypt? You can add as many subdomains onto the cert they create for you as you like, no need for a wildcard if you're going to use Let's Encrypt!
Because the only way to have a single never changing cert is a wildcard.
The people that need a wildcard are usually in an organization with active development and managing LE would be a nightmare. Or a massive org with tons of stuff where a single wildcard can be put on all servers instead of every server having a variation of some few certs from LE.
There are very, very good reasons to use a wildcard cert for people that do more than you little dozen servers.
People are used to being able to get a wildcard from their CA. Free or not. LE not even having that option is the oddity here. Now LE is this way for a very good reason, but that does not negate the fact that every prior CA operated differently than LE.
-
We use Godaddy and Let's Encrypt.
-
My first question here would be what type of certs? For DV certs, then I'd say go with LE like everyone says. But if you need EV or Wildcard then you'll need to buy some. I suggest DigiCert.
Stay the hell away from Register.com for certs. Their customer support is horrid and they just re-sell certs and do not allow their customers to speak to the actual CA for support, so any issues take forever to get solved.
