So today I decided to move all my certificates from StartSSL to LetsEncrypt. Not only is StartSSL really a bad CA with recent problems, but also they limit you with several obstacles that just don’t make any sense. They really just want you to sign up for one of their “great” extended validation thingys. Over the last couple months they have really improved the web interface but still this is not enough to deal with today’s challenges of delivering secure connections to users easily. Their new APIs and StartEncrypt service are merely a late effort, trying to outbid LE with a worse service. Not worth the time or effort.
The biggest problem is, that today I run multiple domains on my server and I need to provide one single certificate with all domains via Dovecot / Postfix. StartSSL allows you to have up to five domain names in the certificates they sign. (For example www.bruck.me and bruck.me would be a total of two domain names) So I’ve ran out of the possibility of using all my domains with one StartSSL certificate. Well, LE offers up to 100 domain names in one certificate. Of course wildcard certificates would be nicer, but this will work as well.
I can really recommend acmetool as an interface tool with LE. I didn’t want any of that fancy magic stuff, as I use a nice webinterface to manage all my webhosts. acmetool generates the certificates after verification and puts them into a central location on the disk. It also manages renewals automatically, so I don’t have to deal with those either. Exactly what I was looking for! Setup is quite easy! Excellent job LE, on making this whole process open source and providing us with the possibility to build any client we want!
So, to summarize: acmetool great, letsencrypt even better, StartSSL meeeh.