this post was submitted on 12 Sep 2024

104 points (97.3% liked)

Selfhosted

39251 readers

283 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

104

Paid SSL vs Letsencrypt (lemmy.ml)

submitted 1 week ago by brownmustardminion@lemmy.ml to c/selfhosted@lemmy.world

110 comments fedilink hide all child comments

I'm curious what the benefits are of paying for SSL certificates vs using a free provider such as letsencrypt.

What exactly are you trusting a cert provider with and what are the security implications? What attack vectors do you open yourself up to when trusting a certificate authority with your websites' certificates?

In what way could it benefit security and/or privacy to utilize a paid service?

And finally, which paid SSL providers are considered trustworthy?

I know Digicert is a big player, but their prices are insane. Comodo seems like a good affordable option, but is it a trustworthy company?

(page 2) 50 comments

sorted by: hot top controversial new old

[+] gencha@lemm.ee -14 points 6 days ago (5 children)

People who have actually relevant use cases with the need for a reliable partner would never use LE. It's a gimmick for hobbyists and people who suck at their job.

If you have never revoked a certificate, you don't really know what you're doing. If you have never run into rate-limiting issues with LE that block a rollout, you don't know what you're doing.

LE works until it doesn't, and then it's like every other free service on the internet: no guarantees If your setup relies on the goodwill of a single entity handing out shit for free, it's not a robust setup. If you rely on that entity to keep an OCSP responder alive for free so all your consumers can verify the validity of your certificate, that's not great. And people do this to save their company $1 a month for the real thing? Even running the shitty certbot in compute has a larger cost. People are so blindly in love with this "free" garbage. The fanboys will never die off

[–] magnus@lemmy.ahall.se 2 points 6 days ago (1 children)

We have had the opposite problem in the past. A cert provider requiring us to exist in certain international directories of companies took weeks of waiting around on bureaucratic red tape.

Then they didn't even call us to verify our existance, place of business or anything (yeah, this was one of the big certificate providers a long time ago).

Their website was horrible, and their support wasn't better.

LetsEncrypt though hasn't failed me once since it was setup, and that is over hundreds of domains with thousands of renewals.

load more comments (1 replies)

load more comments (4 replies)

[–] cron@feddit.org 54 points 1 week ago (4 children)

AFAIK, the only reason not to use Letsencrypt are when you are not able to automate the process to change the certificate.

As the paid certificates are valid for 12 month, you have to change them less often than a letsencrypt certificate.

At work, we pay something like 30-50€ for a certificate for a year. As changing certificates costs, it is more economical to buy a certificate.

But generally, it is best to use letsencrypt when you can automate the process (e.g. with nginx).

As for the question of trust: The process of issuing certificates is done in a way that the certificate authority never has access to your private key. You don't trust the CA with anything (except your payment data maybe).

[–] lud@lemm.ee 15 points 6 days ago (3 children)

PSA: All public certificates (private internal certificates won't be affected) will have a lifetime of only 90 days soon. Google is planning to reduce their lifetime in 2024 but considering that they haven't given an update on this since early this year, I doubt it will happen this year.

But it will happen soon.

This will be a pain in the ass for my workplace because we primarily use Digicert and manually renewing certificates every 90 days is just impossible for use. We are currently looking into a way to switch to letsencrypt or similar.

load more comments (3 replies)

[–] WIPocket@lemmy.world 8 points 6 days ago (2 children)

There are more reasons, as LetsEncrypt might be more restrictive on what you can get (for example, you cant get a certificate for an IP address from them). But, as 99.99% of usecases do not require anything like that, go with letsencrypt until you know of a reason not to.

load more comments (2 replies)

[–] 0x0@programming.dev 3 points 6 days ago (5 children)

you can automate the process (e.g. with nginx).

How does nginx automate that?

[–] cron@feddit.org 1 points 6 days ago (1 children)

I meant certbot with nginx plugin and http-01 challenge.

[–] phase_change@sh.itjust.works 3 points 6 days ago

The person isn’t talking about automating being difficult for a hosted website. They’re talking about a third party system that doesn’t give you an easy way to automate, just a web gui for uploading a cert. For example, our WAP interface or our on-premise ERP don’t offer a way to automate. Sure, we could probably create code to automate it and run the risk it breaks after a vendor update. It’s easier to pay for a 12 month cert and do it manually.

load more comments (4 replies)

load more comments (1 replies)

[–] possiblylinux127@lemmy.zip 33 points 6 days ago (6 children)

Why?

Let's encrypt is free and secure. There is no good reason not to use it.

load more comments (6 replies)

[–] Moonrise2473@feddit.it 19 points 6 days ago (1 children)

With paid certificates you can target ancient and unsupported operating systems like windows XP and android 2, letsencrypt is relatively recent and it's not present in the root certificates of those systems

[–] rdri@lemmy.world 3 points 6 days ago (1 children)

It actually seems more like a windows 10 compatibility dilemma for developers. You can support older systems but it would require some effort. The problem is not the absence of some specific certificates, but the absence of newer ciphers altogether.

This does give security but also removes backwards compatibility with some clients that might be important for some websites.

load more comments (1 replies)

[–] Dark_Arc@social.packetloss.gg 7 points 1 week ago

So, the web uses a system called chain of trust. There are public keys stored in your system or browser that are used to validate the public keys given to you by various web sites.

Both letsencrypt and traditional SSL providers work because they have keys on your system in the appropriate place so as to deem them trustworthy.

All that to say, you're always trusting a certificate authority on some level unless you're doing self signed certificates... And then nobody trusts you.

The main advantage to a paid cert authority is a bit more flexibility and a fancier certificate for your website that also perhaps includes the business name.

Realistically... There's not much of a benefit for the average website or even small business.

[–] stupidcasey@lemmy.world 3 points 6 days ago (3 children)

Certain unnamed companies cough~google~ doesn’t like to trust Let Encrypt its definitely not an abuse of an illegal monopoly they have good reasons I promise.

But the whole point behind using a signed certificate is that other people can look at you and immediately know you are who you say you are if a company doesn’t trust you it doesn’t really matter what the motivation is you might as well use a self signed certificate.

Paid certificates have the money to make sure everyone trusts them and has a reputation to maintain so are more likely to defend a legitimate complaint.

99.999% of individuals it simply doesn’t matter(although you might have to look into it if you’re using android apps) but to a company the little bit that certification costs is worth every penny.

[–] dasgewisseextra@sh.itjust.works 10 points 6 days ago

Google is on of the biggest Lets Encrypt sponsors and where is LE not trusted?

[–] possiblylinux127@lemmy.zip 6 points 6 days ago

Most if the internet uses let's encrypt. You are using it right now

load more comments (1 replies)

[–] Decronym@lemmy.decronym.xyz 2 points 1 week ago* (last edited 4 days ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
CA	(SSL) Certificate Authority
CF	CloudFlare
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL
nginx	Popular HTTP server

9 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #969 for this sub, first seen 12th Sep 2024, 15:05] [FAQ] [Full list] [Contact] [Source code]

load more comments