On 2026-04-12 Adam Thompson wrote:
But, yeah, it's here, it's real, and it's a massive shake-up in what was already a desperately perverse marketplace (not Trevor, I mean the CAs).
A scary rabbit hole to descend down is the thought that Let's Encrypt (LE) is 60%+ of the cert market already. This change will probably make them 99% of the market. That will give them more market share, and leverage, more than even gmail has over mail. This is once a space that had, what, 6-8 decent-sized competitors duking it out for business? Talk about single point of failure, single disgruntled-employee target, single hack target, single gov manipulation target, etc. And for those who aren't USA-happy, they appear to be 100% under the jurisdiction of USA laws. If I'm other country govs, I'm a bit worried right about now. Oh, we don't like your site? No cert for you! It would appear the real reason behind all of this is to push everyone into a validate-every-10-days subscription scheme from big players (or LE) as well as consolidate the market and force more little setups into big tech hosting. Kind of like email hosting: just make it so darn hard & annoying that no one (except me!) will do it. The "muh quantum" and "muh CRLs" would appear to just be scare tactics and obfuscation. I checked into converting my digicert certs into their ACME-compatible offering and you basically are then in "enterprise" pricing. Meaning no one under 500 employees need apply. Meaning, it's not even an option even if I want to go direct! There are a couple of other smaller resellers with ACME, but they would appear to require writing entire oauth/REST API code to make it work, not to mention the normal overhead of setting up a new business relationship, with the concomitant risk of jumping through all of the hoops to find a dead end. I'm most of the way through setting up uacme with LE using my custom scripts/templates and it's going pretty well. If anyone needs to accomplish similar with salt or ansible or whatever, I can recommend this highly-scriptable solution, though the docs are a bit sparse on the paradigms.