Hi,
Given the recent discussions on how to avoid delayed revocations, I wanted to know how feasible it is for certificate subscribers to have automation in place that can handle rapid certificate replacement. While cloud providers and big tech companies can build their own custom certificate automation, what options do the rest of subscribers have using standard off the shelf tools? Can the tools handle mass revocations, or does it have to be done manually, which is likely to be impossible within 24 hours or 5 days for a subscriber with several thousands of certificates?
I could not find any statistics on the popularity of certificate automation tools, so I picked some of the tools listed on
acmeclients.com plus a few others. Sorry if I didn't include your favorite tool, you are welcome to add to the list. I did not try to install or run the tools. I just looked at their publically available documentation. I tried to answer these questions:
- ARI support: Does the tool use ARI, OCSP or another technology to check if its certificates need early replacement?
- Fallback CA support: Can the tool automatically try with another CA after it has failed to renew a certificate from the primary configured CA?
- Multi CA support: Can the tool get a backup certificate from another CA automatically before it fails to renew a certificate from the primary configured CA, so the backup is ready in advance in case it is needed?
- For each question above: If the tool has a default configuration, is it part of that configuration? If the tool does not have a default configuration, is it part of the most prominent getting started guide in the documentation?
My conclusion is that the ecosystem isn't where it needs to be to support trouble-free revocation within the TBR timelines. What can we do about that?
Here is a list of my findings:
Caddy
ARI support: no
ARI default: no
Fallback CA support: yes
https://caddyserver.com/docs/automatic-https#issuer-fallbackFallback CA default: yes, 2 CAs.
https://caddyserver.com/docs/automatic-https#issuer-fallbackMulti CA support: no
Multi CA default: no
Traefik
ARI support: no
https://doc.traefik.io/traefik/https/acme/#automatic-renewalsARI default: no
Fallback CA support: no
https://doc.traefik.io/traefik/https/acme/#certificate-resolversFallback CA default: no
Multi CA support: no
https://doc.traefik.io/traefik/https/acme/#certificate-resolversMulti CA default: no
acme.sh
ARI support: no
https://github.com/acmesh-official/acme.sh/issues/4944ARI default: no
Fallback CA support: no
https://github.com/acmesh-official/acme.sh/wiki/ServerFallback CA default: no
Multi CA support: no
Multi CA default: no
Certbot
ARI support: no
ARI default: no
Fallback CA support: no
https://eff-certbot.readthedocs.io/en/latest/using.html#changing-the-acme-serverFallback CA default: no
Multi CA support: no
Multi CA default: no
cert-manager
ARI support: no
https://cert-manager.io/docs/usage/certificate/#issuance-triggersARI default: no
Fallback CA support: no
https://cert-manager.io/docs/usage/ingress/#inner-workings-diagram-for-developersFallback CA default: no
Multi CA support: no
Multi CA default: no
Lego
ARI support: yes
https://go-acme.github.io/lego/ARI default: no
https://go-acme.github.io/lego/usage/cli/options/Fallback CA support: no
https://go-acme.github.io/lego/usage/cli/options/Fallback CA default: no
Multi CA support: no
Multi CA default: no
Certify The Web
ARI support: no
https://docs.certifytheweb.com/docs/renewalsARI default: no
Fallback CA support: yes
https://docs.certifytheweb.com/docs/guides/certificate-authoritiesFallback CA default: yes, 3 CAs without EAB requirements configured by default
Multi CA support: no
Multi CA default: no
cPanel
ARI support: no
ARI default: no
Fallback CA support: no
https://docs.cpanel.net/whm/ssl-tls/manage-autossl/#providersFallback CA default: no
Multi CA support: no
https://docs.cpanel.net/whm/ssl-tls/manage-autossl/#providersMulti CA default: no
Plesk
ARI support: no
https://docs.plesk.com/en-US/obsidian/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/securing-connections-with-the-ssl-it!-extension.80001/#renewing-installed-ssl-tls-certificatesARI default: no
Fallback CA support: partially, 2 CAs supported, one with automatic renewal, fallback to that one
Fallback CA default: no
Multi CA support: no
Multi CA default: no
NGINX njs-acme
ARI support: no
ARI default: no
Fallback CA support: no
https://github.com/nginx/njs-acme?tab=readme-ov-file#staging-by-defaultFallback CA default: no
Multi CA support: no
Multi CA default: no
Apache mod_md
ARI support: no
https://httpd.apache.org/docs/current/mod/mod_md.html#mdrenewwindowARI default: no
Fallback CA support: yes, but only CAs without EAB
https://httpd.apache.org/docs/current/mod/mod_md.html#mdcertificateauthorityFallback CA default: no, 1 CA configured by default
https://httpd.apache.org/docs/current/mod/mod_md.html#mdcertificateauthorityMulti CA support: no
Multi CA default: no