Hi, Given the recent discussions on how to avoid delayed revocations, I wanted to know how feasible it is for certificate subscribers to have automation in place that can handle rapid certificate replacement. While cloud providers and big tech companies can build their own custom certificate automation, what options do the rest of subscribers have using standard off the shelf tools? Can the tools handle mass revocations, or does it have to be done manually, which is likely to be impossible within 24 hours or 5 days for a subscriber with several thousands of certificates?
I could not find any statistics on the popularity of certificate automation tools, so I picked some of the tools listed on acmeclients.com plus a few others. Sorry if I didn't include your favorite tool, you are welcome to add to the list. I did not try to install or run the tools. I just looked at their publically available documentation. I tried to answer these questions: - ARI support: Does the tool use ARI, OCSP or another technology to check if its certificates need early replacement? - Fallback CA support: Can the tool automatically try with another CA after it has failed to renew a certificate from the primary configured CA? - Multi CA support: Can the tool get a backup certificate from another CA automatically before it fails to renew a certificate from the primary configured CA, so the backup is ready in advance in case it is needed? - For each question above: If the tool has a default configuration, is it part of that configuration? If the tool does not have a default configuration, is it part of the most prominent getting started guide in the documentation? My conclusion is that the ecosystem isn't where it needs to be to support trouble-free revocation within the TBR timelines. What can we do about that? Here is a list of my findings: Caddy ARI support: no ARI default: no Fallback CA support: yes https://caddyserver.com/docs/automatic-https#issuer-fallback Fallback CA default: yes, 2 CAs. https://caddyserver.com/docs/automatic-https#issuer-fallback Multi CA support: no Multi CA default: no Traefik ARI support: no https://doc.traefik.io/traefik/https/acme/#automatic-renewals ARI default: no Fallback CA support: no https://doc.traefik.io/traefik/https/acme/#certificate-resolvers Fallback CA default: no Multi CA support: no https://doc.traefik.io/traefik/https/acme/#certificate-resolvers Multi CA default: no acme.sh ARI support: no https://github.com/acmesh-official/acme.sh/issues/4944 ARI default: no Fallback CA support: no https://github.com/acmesh-official/acme.sh/wiki/Server Fallback CA default: no Multi CA support: no Multi CA default: no Certbot ARI support: no ARI default: no Fallback CA support: no https://eff-certbot.readthedocs.io/en/latest/using.html#changing-the-acme-server Fallback CA default: no Multi CA support: no Multi CA default: no cert-manager ARI support: no https://cert-manager.io/docs/usage/certificate/#issuance-triggers ARI default: no Fallback CA support: no https://cert-manager.io/docs/usage/ingress/#inner-workings-diagram-for-developers Fallback CA default: no Multi CA support: no Multi CA default: no Lego ARI support: yes https://go-acme.github.io/lego/ ARI default: no https://go-acme.github.io/lego/usage/cli/options/ Fallback CA support: no https://go-acme.github.io/lego/usage/cli/options/ Fallback CA default: no Multi CA support: no Multi CA default: no Certify The Web ARI support: no https://docs.certifytheweb.com/docs/renewals ARI default: no Fallback CA support: yes https://docs.certifytheweb.com/docs/guides/certificate-authorities Fallback CA default: yes, 3 CAs without EAB requirements configured by default Multi CA support: no Multi CA default: no cPanel ARI support: no ARI default: no Fallback CA support: no https://docs.cpanel.net/whm/ssl-tls/manage-autossl/#providers Fallback CA default: no Multi CA support: no https://docs.cpanel.net/whm/ssl-tls/manage-autossl/#providers Multi CA default: no Plesk ARI support: no https://docs.plesk.com/en-US/obsidian/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/securing-connections-with-the-ssl-it!-extension.80001/#renewing-installed-ssl-tls-certificates ARI default: no Fallback CA support: partially, 2 CAs supported, one with automatic renewal, fallback to that one Fallback CA default: no Multi CA support: no Multi CA default: no NGINX njs-acme ARI support: no ARI default: no Fallback CA support: no https://github.com/nginx/njs-acme?tab=readme-ov-file#staging-by-default Fallback CA default: no Multi CA support: no Multi CA default: no Apache mod_md ARI support: no https://httpd.apache.org/docs/current/mod/mod_md.html#mdrenewwindow ARI default: no Fallback CA support: yes, but only CAs without EAB https://httpd.apache.org/docs/current/mod/mod_md.html#mdcertificateauthority Fallback CA default: no, 1 CA configured by default https://httpd.apache.org/docs/current/mod/mod_md.html#mdcertificateauthority Multi CA support: no Multi CA default: no -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACAF_WjcAfX496_gSyFB3oQn%2B5NnEOCz_%2B0d8J_wqzbLfc8Qzw%40mail.gmail.com.
