[tech] Is there any reason to buy SSL certs any more?

[siderea]

So, my domain host now has push-button LetsEncrypt. I have an SSL cert (Komodo) coming up for renewal. Is there any reason I should pay money for this instead of just getting it for free through Let's Encrypt?

(If it matters, this particular cert has to be agreeable to Twilio.)

Like, does LetsEncrypt obviate the entire consumer SSL certificate

Comments

[cartesiandaemon]

I don't know for sure, but I don't think there's any reason not to use LetsEncrypt. "Obviate the entire consumer SSL certificate market" is exactly how I understand it, and it's possible there's some edge cases where that doesn't apply, but I don't know what they are.

[sauergeek]

LetsEncrypt hasn't obviated the consumer SSL market.

Last I looked, LetsEncrypt would not issue multi-name (SAN) certificates at all. I also see reports that it doesn't play well with Java. If you have an appliance where you don't have the appropriate software or bits, the automation goes away and then the short renewal time becomes a major hassle. (The short renewal time might well be a hassle in some environments anyhow.)

There are probably more issues.

[siderea]

They do SANs up to 100 names per cert, and actually suggest this is a way to get around their issuing rate limit of 20 certs per domain per week, since it would allow one to get certs to cover 2000 subdomains in a week.

The compatibility list says they're compatible with JDK 8u101, but not earlier. Have you heard anything different?

How short is the renewal time? (I was hoping they'd support custom renewal times.)

[siderea]

The renewal time is 90 days

!!!!! Why so short? Is that a security issue, like forcing users to change their password quarterly? (ETA: Thanks so much for alerting me to this!)