Cloudflare: "Oh no, we can't have that much centralization, that's horrible, just think of the impact outages have!"
Let's Encrypt: crickets
Obviously I use LE myself and like what they do, and even in the example above some downtime would have less of an impact than Cloudflare would (due to renewals being less time sensitive), I'm just surprised that there aren't like 5 other orgs that do the same at scale, like an EU based one for example. If there's a lot of domain registrars, why doesn't every single one of them have ACME compatible services?
I think there was ZeroSSL but I vaguely remember something scummy about upsells there a few years back.
If LE goes down for a week you can't deploy new certs, but your existing ones will work, as you renew them a few weeks before expiry anyway
That also gives you enough time to change to get your certs from elsewhere
As you mention zerossl exista, and I think google GCM will give you free certs too.
Globalsign has an ACME interface for paying customers, although I'm told it has issues (you have to rotate keys manually every X days / N certificates)
There's no (current) plans to drop below 45 day certificates with an expected renewal with 2 weeks to go.
I agree if cert lifetimes drop towards week long then it becomes problematic. A sensible thing at that point is to ensure you can issue certificates from different CAs on different underlying stacks, in the same way you use multiple DNS servers
Let's Encrypt: crickets
Obviously I use LE myself and like what they do, and even in the example above some downtime would have less of an impact than Cloudflare would (due to renewals being less time sensitive), I'm just surprised that there aren't like 5 other orgs that do the same at scale, like an EU based one for example. If there's a lot of domain registrars, why doesn't every single one of them have ACME compatible services?
I think there was ZeroSSL but I vaguely remember something scummy about upsells there a few years back.