Anyone interested, first read the MUUG newsletter article on certs last month: https://muug.ca/pub/muuglines/pdf/muug2604.pdf page 2 As a followup, it gets worse! I just discovered that if you want to impelment ACME to automate cert renewals with a for-pay cert company like Digitcert (who after buying tons of people up is a massive share of the market) you have to register with their "enterprise" system. If you do that and migrate your certs then you are converting to a direct sales model and can no longer buy from a reseller. This is important for me as I'm the reseller! So a by-product of this move is they just killed the reseller market, and undoubtedly not by accident. Ya, I get it, but this doesn't just hurt the reseller, it hurts the customer: because in many cases I was able to discount the cert vs retail price. Now you'll pay whatever retail price digicert says. It looks like *my* upstream reseller (opensrs) could possibly implement ACME, but they haven't yet, and claim to be blindsided by these expiry changes, so I doubt can implement it anytime soon. Apparently they can, since select (few) other resellers are implementing ACME... but who knows how all this would work. In any event, all the decisions are being made *now* because as of a month ago certs with the short expiries are needing to be renewed, and needing automation because I'm not updating everyone's cert many times a year (even 2). Unless someone says "ACME is coming soon!" I'll have to tell everyone to use Let's Encrypt and sell nothing but my time from now on. Which is fine, but a vast departure from how I've sold/handled certs for 25 years, and impacts the relationship I have with my customers. In this space, absolutely no one likes change or having to think about "new things". It needs to Just Work(tm). Literally no one cares about it unless it breaks, and the costs were so miniscule to companies that even having to explain the new options is a waste of everyone's time. All for, what, exactly? CRL and quantum... ya, right.
I'm shocked that OpenSRS has the gall to claim they were blindsided by the CAB-mandated expiry changes, hell, there was a post in this mailing list well over a year ago about it! I don't know why anyone would keep paying for certs at this point, unless you desperately need some feature that LE can't provide (e.g. some of the more esoteric ACME validation options, maybe). A lot of people will be changing DNS providers soon, so they can use DNS-01 challenge types, I expect. But, yeah, it's here, it's real, and it's a massive shake-up in what was already a desperately perverse marketplace (not Trevor, I mean the CAs). -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Trevor Cordes <trevor@tecnopolis.ca> Sent: Sunday, April 12, 2026 2:34:05 AM To: MUUG RndTbl <roundtable@muug.ca> Subject: [RndTbl] shortened cert expiries Anyone interested, first read the MUUG newsletter article on certs last month: https://muug.ca/pub/muuglines/pdf/muug2604.pdf page 2 As a followup, it gets worse! I just discovered that if you want to impelment ACME to automate cert renewals with a for-pay cert company like Digitcert (who after buying tons of people up is a massive share of the market) you have to register with their "enterprise" system. If you do that and migrate your certs then you are converting to a direct sales model and can no longer buy from a reseller. This is important for me as I'm the reseller! So a by-product of this move is they just killed the reseller market, and undoubtedly not by accident. Ya, I get it, but this doesn't just hurt the reseller, it hurts the customer: because in many cases I was able to discount the cert vs retail price. Now you'll pay whatever retail price digicert says. It looks like *my* upstream reseller (opensrs) could possibly implement ACME, but they haven't yet, and claim to be blindsided by these expiry changes, so I doubt can implement it anytime soon. Apparently they can, since select (few) other resellers are implementing ACME... but who knows how all this would work. In any event, all the decisions are being made *now* because as of a month ago certs with the short expiries are needing to be renewed, and needing automation because I'm not updating everyone's cert many times a year (even 2). Unless someone says "ACME is coming soon!" I'll have to tell everyone to use Let's Encrypt and sell nothing but my time from now on. Which is fine, but a vast departure from how I've sold/handled certs for 25 years, and impacts the relationship I have with my customers. In this space, absolutely no one likes change or having to think about "new things". It needs to Just Work(tm). Literally no one cares about it unless it breaks, and the costs were so miniscule to companies that even having to explain the new options is a waste of everyone's time. All for, what, exactly? CRL and quantum... ya, right. _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
On 2026-04-12 Adam Thompson wrote:
But, yeah, it's here, it's real, and it's a massive shake-up in what was already a desperately perverse marketplace (not Trevor, I mean the CAs).
A scary rabbit hole to descend down is the thought that Let's Encrypt (LE) is 60%+ of the cert market already. This change will probably make them 99% of the market. That will give them more market share, and leverage, more than even gmail has over mail. This is once a space that had, what, 6-8 decent-sized competitors duking it out for business? Talk about single point of failure, single disgruntled-employee target, single hack target, single gov manipulation target, etc. And for those who aren't USA-happy, they appear to be 100% under the jurisdiction of USA laws. If I'm other country govs, I'm a bit worried right about now. Oh, we don't like your site? No cert for you! It would appear the real reason behind all of this is to push everyone into a validate-every-10-days subscription scheme from big players (or LE) as well as consolidate the market and force more little setups into big tech hosting. Kind of like email hosting: just make it so darn hard & annoying that no one (except me!) will do it. The "muh quantum" and "muh CRLs" would appear to just be scare tactics and obfuscation. I checked into converting my digicert certs into their ACME-compatible offering and you basically are then in "enterprise" pricing. Meaning no one under 500 employees need apply. Meaning, it's not even an option even if I want to go direct! There are a couple of other smaller resellers with ACME, but they would appear to require writing entire oauth/REST API code to make it work, not to mention the normal overhead of setting up a new business relationship, with the concomitant risk of jumping through all of the hoops to find a dead end. I'm most of the way through setting up uacme with LE using my custom scripts/templates and it's going pretty well. If anyone needs to accomplish similar with salt or ansible or whatever, I can recommend this highly-scriptable solution, though the docs are a bit sparse on the paradigms.
The fundamental error at the very beginning was, two very separate topics got merged into one, all because of the American system's philosophy that everything should be monetized. Of the two topics, (1) https/encryption and (2) vetting of vendors, the https/encryption should have been purely a technical standard, freely available to anyone to implement. The height of the resultant perversion was reached when we got the "green bar" era. What was supposed to be an indicator of the degree of scrutiny/vetting that the vendor passed, became perverted into "the more they pay, the greener the bar they get". If the certs industry wants to survive at all, let them finally work for their money by spending time and research on actually vetting vendors, and let the browsers never participate again in such a perversion. Long live Let's Encrypt, who rescued us from this. Hartmut On Sun 12 Apr 2026 at 07:24:46 -05:00, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2026-04-12 Adam Thompson wrote:
But, yeah, it's here, it's real, and it's a massive shake-up in what was already a desperately perverse marketplace (not Trevor, I mean the CAs).
A scary rabbit hole to descend down is the thought that Let's Encrypt (LE) is 60%+ of the cert market already. This change will probably make them 99% of the market. That will give them more market share, and leverage, more than even gmail has over mail. This is once a space that had, what, 6-8 decent-sized competitors duking it out for business?
Talk about single point of failure, single disgruntled-employee target, single hack target, single gov manipulation target, etc. And for those who aren't USA-happy, they appear to be 100% under the jurisdiction of USA laws. If I'm other country govs, I'm a bit worried right about now. Oh, we don't like your site? No cert for you!
It would appear the real reason behind all of this is to push everyone into a validate-every-10-days subscription scheme from big players (or LE) as well as consolidate the market and force more little setups into big tech hosting. Kind of like email hosting: just make it so darn hard & annoying that no one (except me!) will do it. The "muh quantum" and "muh CRLs" would appear to just be scare tactics and obfuscation.
I checked into converting my digicert certs into their ACME-compatible offering and you basically are then in "enterprise" pricing. Meaning no one under 500 employees need apply. Meaning, it's not even an option even if I want to go direct! There are a couple of other smaller resellers with ACME, but they would appear to require writing entire oauth/REST API code to make it work, not to mention the normal overhead of setting up a new business relationship, with the concomitant risk of jumping through all of the hoops to find a dead end.
I'm most of the way through setting up uacme with LE using my custom scripts/templates and it's going pretty well. If anyone needs to accomplish similar with salt or ansible or whatever, I can recommend this highly-scriptable solution, though the docs are a bit sparse on the paradigms. _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
On 2026-04-12 Hartmut W Sager wrote:
Long live Let's Encrypt, who rescued us from this.
I'm not jumping on the LE bandwagon quite so quickly. It's only because of LE and their "must automate" paradigm that Apple/Google were able to push these "must automate" expiry shortenings into place. If one were cynical (nah, not me!) you'd think it was planned all along... someone knew 15 years ago they wanted to push to short certs and mostly centralized control with 1 or 2 major players. Without LE setting the must-automate trend and taking the majority market share, there would have been vast rebellion today by the customer base, resellers and cert vendors had the big players tried to force 47 days (and automation) on us. But everyone now happily accepts it because "yay free certs", "I'm already using LE". Now, all your base belong to them. And ignore the order they list their funders in Wiki... Instead look who's in there (Google, FB, AWS, Gates), and never mind the fact EFF/Mozilla have no money anyway that isn't donated probably from the same places... I agree the original market paradigm was a bit wonky, but that half- fixed itself when $10 certs (vs $75+ ones) became available. I also agree there always should have been a free option: but maybe a marketplace of free options, not just One Ring To Encrypt Them All. The concentration of power is and will be much worse now, and their ability to shut off dissenters will be more powerful than before. (Gets me thinking about the whole "every site must be SSL" push too... none of this is occurring in isolation or for the reasons stated. We pray it's for altruistic reasons, but history shows that's likely impossible.)
Yes, that "every site must be SSL" is another matter, and is totally silly. If I look at the weather and weather forecast on Environment Canada, I don't think I need "privacy" of the kind that SSL gives me. But I'll bet that today's duped consumer would be afraid to view the weather station without fear. Hartmut On Sun 12 Apr 2026 at 20:36:12 -05:00, Trevor Cordes <trevor@tecnopolis.ca> wrote:
(Gets me thinking about the whole "every site must be SSL" push too... none of this is occurring in isolation or for the reasons stated. We pray it's for altruistic reasons, but history shows that's likely impossible.)
participants (3)
-
Adam Thompson -
Hartmut W Sager -
Trevor Cordes