Comment by greyface-

1 day ago

Good time to note that Buypass offers free certificates over ACME. I have a few of my domains configured to use them instead of LetsEncrypt, just for redundancy and to ensure I have a working non-LE cert source in case LE suffers problems like this over a longer time period.

Example OpenBSD /etc/acme-client.conf:

  authority buypass {
   api url "https://api.buypass.com/acme/directory"
   account key "/etc/acme/buypass-privkey.pem"
   contact "mailto:youremail@example.com"
  }
  domain example.com {
   domain key "/etc/ssl/private/example.com.key"
   domain full chain certificate "/etc/ssl/example.com.pem"
   sign with buypass
  }

4 comments

greyface-

CGamesPlay 1 day ago

This is neat. Does cert-manager have facilities to automatically use a fallback ACME provider, so I could automate using this? I'd also accept a pool of ACME providers, but a priority ordering seems ideal. I don't see the functionality listed anywhere, maybe there's some security argument that this is a bad idea?

attentive 17 hours ago

caddy will auto-issue/renew LE or ZeroSSL depending on availability

ninjin 1 day ago

Cheers! They look like decent chaps and also outside the US for some additional certificate diversity. Are there other trustworthy Acme issuers out there?

A pity that acme-client(1) does not allow for fallbacks, but I will add a mental note about it being an easy enough patch to contribute if I ever find the time.

grodriguez100 17 hours ago

ZeroSSL works very well for me. I found it because it is now the default for the acme.sh client.