I have successfully switched all the sites that I host myself to use #Actalis TLS certificates instead of ZeroSSL or Let's Encrypt. Actalis is an Italian CA, and the only European CA (RIP Buypass), that provides unlimited free certificates via ACME.

Their site is flaky and does crash sometimes, but after you signed up (no KYC needed, an email is enough!) and got your EAB credentials, you'll never have to touch them again! The only downside I can think of is them not offering wildcard certificates, but I never used those, so ¯\_(ツ)_/¯

@kytta I just checked kytta.dev and it serves me a LE cert

@eloy valid concern, but

all the sites that I host myself

And, as shitty as it sounds, I don't host my own website :D Since it's open-source, I can host it for free on statichost.eu, and I like how it builds from my Git a là GitHub Pages. Once I figure out how to rsync from my CI, I'll do the same for it, too :)

Technical details:

• certificates are valid for 90 days
• CA and intermediate use RSA 4096-bit keys; signatures use SHA-256
• no CN in subject, only SAN

Example certificate: https://crt.sh/?id=24228872723

@kytta ngl, no wildcards and only RSA is pretty annoying

@famfo I agree about RSA, but what are y'all using the wildcards for? :D

@kytta wildcard DNS records, tons of subdomains and general laziness :^)

@kytta I know that it can be done without (check out ccc.ac for a real no-wildcard certificate) but then I'd have to keep proper track of my stuff, scary

@famfo I see. I use Caddy exclusively, and it creates a new single-domain single-SAN certificate for every domain in my config, so I don't really have to manage anything. It's a bit sad that two domains pointing to the same site have differing certificates, but not having to think about it at all is an upside :)

@kytta there is a bunch of non-https stuff I host so this isn't really feasible :^)

The CAB forum also recently deprecated client certificates which was used by XMPP server-to-server communication, not cool :(

@kytta that's fair, lol

I wanted to take a look at the cert chain, do you have an example that you migrated?

@famfo @kytta EKU was a mistake. what valid use is there for being able to prevent a cert being used for client authentication?

@eloy yes :) https://crt.sh/?id=24228872723