Let's Encrypt are amazing and regular readers will know I'm a huge fan of theirs, having covered them numerous times on my blog. They issue more certificates and cover more domains than any other CA out there, all for free. Whilst all of these are amazing facts, we are creating a lot of dependency on them so having a backup is (always) a smart idea.
I've blogged about Let's Encrypt a lot, I have 16 posts on my blog that are tagged with Let's Encrypt. They're free, they're open and the automation is so easy I once hacked an Amazon Dash button to issue Let's Encrypt certificates! With their amazing growth one thing that has crossed my mind is what happens to us if they go 'pop'. Sites may be moving to Let's Encrypt because they're free, which means they couldn't afford to replace those certs if they had to pay. Perhaps a site can only do it at scale because of the automation so if they lost that it wouldn't be attainable. There's lot of reasons that having a single CA is a bad idea and it's even a topic I cover in my TLS training course, The Best TLS Training in the World. If something happens to your CA, it could have a big impact on the availability of your site. For that reason, having a backup CA is always a good idea and I want to show you just how easy that is.
The ACME protocol
To obtain certificates from Let's Encrypt you use something called the ACME (Automated Certificate Management Environment) protocol. The ACME protocol allows you to do everything you need when communicating with a CA to obtain a certificate and it's an open protocol. There's nothing specific to Let's Encrypt here and wider support of ACME is something that I've been hoping to see for some time now. We're finally at a point where more CAs are starting to support ACME and that means that any tools/scripts/processes you currently use to get certificates from Let's Encrypt should work perfectly well with any other CA that supports ACME.
Getting certificates from another CA
If another CA supports the ACME protocol then using any ACME based tool to get a certificate should be a simple case of pointing the tool at a different CA. Not all CAs are going to give away certificates for free, and the ACME protocol has support for payments, but I'm going to be using Buypass who are a Norwegian CA that support ACME and offer free certificates.
The official docs linked above guide us on using Certbot for obtain a certificate so that's where I started out. It's the official client from the EFF to "obtain certs from Let's Encrypt" and "any other CA that uses the ACME protocol".
I've done the registration step in the Buypass docs and the next command you run is the command to issue a certificate. That's.... pretty much all there is for me to talk about.
certbot certonly --webroot -w /var/www/html/home/ -d acme-test.scotthelme.co.uk --agree-tos --server 'https://api.buypass.com/acme/directory'
With that, a certificate is issued, just as easy as if you'd used Let's Encrypt!
If you want a prettier view of that you can copy/paste PEM data into our PEM Decoder over at Report URI:
Another awesome client that I've used a few times is acme.sh and just like Certbot it's geared up to get certs from Let's Encrypt but it's easy to switch it over to Buypass. Simply use the acme.sh command with the
--server flag and set the Buypass endpoint.
./acme.sh --issue --dns dns_cf -d acme-test.scotthelme.co.uk --server "https://api.buypass.com/acme/directory"
That's it, when you run the command to issue a certificate the tool will point itself at the Buypass API instead of the Let's Encrypt API and because they're both compliant ACME endpoints, it all just works. Once that's run you have your new certificate ready to go!
Again you can copy/paste PEM data into our PEM Decoder over at Report URI:
I've also covered acme_tiny in a few blog posts up until now but sadly getting acme_tiny working isn't so easy. The Buypass ACME API endpoint isn't actually fully compliant with the spec and while other clients can tolerate that and still function, acme_tiny can't. I've raised this with Buypass and I'm hoping they will update their endpoint to be fully spec compliant to really open up the possibilities of using any client you like.
Looking to the future
Whilst Buypass is a slightly limited backup option, it's still a backup option and it might be the only one right now. If you are using an ACME client to get Let's Encrypt certificates it's worth checking out if you can get a Buypass certificate so that you know if it will work should you ever need it. Looking forward into 2019 I think we need to see better support for ACME across the ecosystem. Just imagine a world where you could call your certificate renewal command and point it at any one of a dozen different CAs. Sounds great, doesn't it?
Update: The CAA value for this CA is