Let's Encrypt Acme API Outage

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Nutrient – The #1 PDF SDK Library, trusted by 10K+ developers
Other PDF SDKs promise a lot - then break. Laggy scrolling, poor mobile UX, tons of bugs, and lack of support cost you endless frustrations. Nutrient’s SDK handles billion-page workloads - so you don’t have to debug PDFs. Used by ~1 billion end users in more than 150 different countries.
www.nutrient.io
featured
CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured
  1. mod_md

    Let's Encrypt (ACME) in Apache httpd

    Apache mod_md has fallback too, https://github.com/icing/mod_md#acme-failover I'm just a user, not the author, and I didn't try the fallback. I'm more worried about stuff breaking if I switch issuers than certs expiring without me noticing. I've got some embedded junk that hits my website and has weak cert validation, so better to stick with something that works.

  2. Nutrient

    Nutrient – The #1 PDF SDK Library, trusted by 10K+ developers. Other PDF SDKs promise a lot - then break. Laggy scrolling, poor mobile UX, tons of bugs, and lack of support cost you endless frustrations. Nutrient’s SDK handles billion-page workloads - so you don’t have to debug PDFs. Used by ~1 billion end users in more than 150 different countries.

    Nutrient logo
  3. certificate-transparency

    Discontinued Auditing for TLS certificates.

    You are correct: https://github.com/google/certificate-transparency/blob/mast...

    You can embed CT attestations (SCTs) in the certificate itself, so yes, provided the CA is in cooperation with CT log operators, and deliberately does the pre-certificate -> SCTs -> real certificate dance, it is possible for a browser to validate embedded SCTs without an online check.

    However, that assumes that the CA actively does that, they don't have to. Neither does the server. What's compelling them to is _policy_, set by Google and Apple, that their respective browsers won't accept certificates _without_ CT attestations. Google's policy specifically requires that one of the SCTs on a certificate must be a CT log run by Google. Google also controls the list of CT logs that Chrome will consider as valid CT logs, as part of deciding if an SCT is valid. Antitrust, anyone?

    I was trying to make a similar point about Firefox - policy vs code. And rather than saying that it's specifically the CA/Browser Forum setting policy (which it does, but only baseline policy, which does not include CT), each org in the CA/Browser Forum has their own root cert inclusion program with their own policies, that all draw from baseline policy then add to it. You are right, _baseline_ policy does not require CT....

    ... and neither does _Mozilla's_ policy, now I've scanned through it. It actively acknowledges that CT exists (in that it mandates that if you issue a precertificate for CT, you _must_ issue the completed certificate), but it does _not_ require CAs to use CT. In stark contrast to Google and Apple.

    Perhaps this is why they also don't implement CT checking in Firefox?

  4. Caddy

    Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

    Does mholt consider it a mistake? I'm aware that it was reverted (https://github.com/caddyserver/caddy/pull/1866) and that mholt found the whole thing difficult (which is my attempt to neutrally summarize https://caddy.community/t/the-realities-of-being-a-foss-main... accurately), but that is a somewhat different statement. If so, then yes, it's unkind and unhelpful to keep bringing it up, but if no then it's useful to keep previous behavior in mind when evaluating the product.

  5. zlint

    X.509 Certificate Linter focused on Web PKI standards and requirements.

    Yup, the two most popular are:

    https://github.com/zmap/zlint

    https://github.com/certlint/certlint

    They each have their strengths and weaknesses, so CAs are advised to use both.

  6. certlint

    X.509 certificate linter

    Yup, the two most popular are:

    https://github.com/zmap/zlint

    https://github.com/certlint/certlint

    They each have their strengths and weaknesses, so CAs are advised to use both.

  7. CodeRabbit

    CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

    CodeRabbit logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • How to reverse proxy with SSL on local network

    3 projects | /r/nginx | 22 Oct 2022
  • Cloudflare is almost perfect

    4 projects | dev.to | 16 Jan 2025
  • Ask HN: What should a Alternative to LetsEncrypt offer

    1 project | news.ycombinator.com | 11 Apr 2024
  • HTTP/2 Continuation Flood: Technical Details

    2 projects | news.ycombinator.com | 4 Apr 2024
  • Curl HTTP/3 Performance

    3 projects | news.ycombinator.com | 28 Jan 2024

Did you know that Go is
the 4th most popular programming language
based on number of references?