I struggled for years with SSL certificates. They were often expensive, limited, and most of the CAs I had to deal with seemed kind of… sleazy. I remember it taking weeks and way too much money to get my first certificate for the now-defunct ssl.guerillaphysician.com domain. I’ve always felt, though, that SSL/TLS should have been the default web protocol from the beginning.
The situation improved markedly when Let’s Encrypt debuted: a public service that provides free TLS/SSL certificates so even your home server could use https encryption. Cool, but they didn’t provide wildcard certificates. I had to have a separate certificate for each of the dozens of subdomains I administer (I’ve lost count of exactly how many and I never seem to manage to be able to make a complete inventory of assets).
Yes, they were free, but they have to be renewed every three months. That meant logging on to dozens of hosts to run the renewal process. Automation was tricky because the renewal process could potentially disrupt users. It got to the point where I was having to manually renew at least one certificate almost every day.
Last month, Let’s Encrypt started offering wildcard certificates. That means instead of having separate certs for “oasis.sacdoc.org” and “sara.sacdoc.org” and the like, I could have a single certificate that covered “*.sacdoc.org”—all the subdomains at once. I immediately got wildcard certs for my domains, and wrote algorithms to distribute the certs across my far-flung network. Now, I can do all my renewals in one swell foop, once every 90 days.
Getting the certs was the easy part. (Let’s Encrypt isn’t flawless, but it amazing nonetheless.) This weekend my chore is to remember where every TLS-using service in my network is and reconfigure them to use the new wildcard certs. (It’s not just web servers; I use Let’s Encrypt certs on my mail servers and many application API’s.) Once that’s done, a goal I’ve had for two decades will be realized.
Let’s Encrypt is making the web a better place. I’ve donated—if you host any SSL/TLS protected services, you should, too.