The fundamental error at the very beginning was, two very separate topics got merged into one, all because of the American system's philosophy that everything should be monetized. Of the two topics, (1) https/encryption and (2) vetting of vendors, the https/encryption should have been purely a technical standard, freely available to anyone to implement. The height of the resultant perversion was reached when we got the "green bar" era. What was supposed to be an indicator of the degree of scrutiny/vetting that the vendor passed, became perverted into "the more they pay, the greener the bar they get". If the certs industry wants to survive at all, let them finally work for their money by spending time and research on actually vetting vendors, and let the browsers never participate again in such a perversion. Long live Let's Encrypt, who rescued us from this. Hartmut On Sun 12 Apr 2026 at 07:24:46 -05:00, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2026-04-12 Adam Thompson wrote:
But, yeah, it's here, it's real, and it's a massive shake-up in what was already a desperately perverse marketplace (not Trevor, I mean the CAs).
A scary rabbit hole to descend down is the thought that Let's Encrypt (LE) is 60%+ of the cert market already. This change will probably make them 99% of the market. That will give them more market share, and leverage, more than even gmail has over mail. This is once a space that had, what, 6-8 decent-sized competitors duking it out for business?
Talk about single point of failure, single disgruntled-employee target, single hack target, single gov manipulation target, etc. And for those who aren't USA-happy, they appear to be 100% under the jurisdiction of USA laws. If I'm other country govs, I'm a bit worried right about now. Oh, we don't like your site? No cert for you!
It would appear the real reason behind all of this is to push everyone into a validate-every-10-days subscription scheme from big players (or LE) as well as consolidate the market and force more little setups into big tech hosting. Kind of like email hosting: just make it so darn hard & annoying that no one (except me!) will do it. The "muh quantum" and "muh CRLs" would appear to just be scare tactics and obfuscation.
I checked into converting my digicert certs into their ACME-compatible offering and you basically are then in "enterprise" pricing. Meaning no one under 500 employees need apply. Meaning, it's not even an option even if I want to go direct! There are a couple of other smaller resellers with ACME, but they would appear to require writing entire oauth/REST API code to make it work, not to mention the normal overhead of setting up a new business relationship, with the concomitant risk of jumping through all of the hoops to find a dead end.
I'm most of the way through setting up uacme with LE using my custom scripts/templates and it's going pretty well. If anyone needs to accomplish similar with salt or ansible or whatever, I can recommend this highly-scriptable solution, though the docs are a bit sparse on the paradigms. _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca