• 0 Posts
  • 6 Comments
Joined 1 year ago
cake
Cake day: June 16th, 2023

help-circle
  • The main benefits to paying for certs are

    • as many said, getting more than 90 days validity for certs that are harder to rotate, or the automation hasn’t been done.
    • higher rate limits for issuing and renewing certs, you can ask letsencrypt to up limits, but you can still hit them.
    • you can get certs for things other than web sites, ie code signing.

    The only thing that matters to most people is that they don’t get cert errors going to/using a web site, or installing software. Any CA that is in the browsers, OS and various language trust stores is the same to that effect.

    The rules for inclusion in the browsers trust stores are strict (many of the Linux distros and language trust stores just use the Mozilla cert set), which is where the trust comes from.

    Which CA provider you choose doesn’t change your potential attack surface. The question on attack surface seems like it might come from lacking understanding of how certs and signing work.

    A cert has 2 parts public cert and private key, CAs sign your sites public cert with their private key, they never have or need your private key. Public certs can be used to verify something was signed by the private key. Public certs can be used to encrypt data such that only the private key can decrypt it.






  • I assume you have purchased as public domain (the example.com bit) and have it setup to be publicly resolvable, even if the records are hosted on cloudflare or something.

    You don’t need any A records for the dns01 challenge from lets encrypt. You need a text record for _acme-challenge.local.example.com that you can update with what ever challenge string let’s encrypt replies with when you request the *.local.example.com certificate.

    Guessing the error is from caddy and it is saying it can’t find the public provider of that zone to update the txt record for the challenge. Even if you have the correct provider configured, does local.example.com exist in the public DNS server config?

    As a side note, after the cert is issued the _acme-challenge txt record can be deleted, just be aware all issued public certs are easily searchable by domain name.