Grieving over the death of StartSSL


What was once the web’s best source for free SSL/TLS certificates and affordable-by-normal-humans wildcard certs is dead, killed by shitty unethical behavior by a shitty company called WoSign. So thanks, WoSign—thanks for wrecking StartCom and their StartSSL service. You destroyed something wonderful and useful to millions of people. Hope it was worth it, dicks.

If there’s an upside to this mess, it’s that Let’s Encrypt has mostly made StartSSL redundant. Where StartSSL was once the only place to go if you wanted free certificates, LE now fills that gap—very successfully, too. And LE will begin offering free wildcard certificates starting in 2018, so that’s another need fulfilled.

But man, I am going to miss the hell out of StartCom and StartSSL.

Read the rest of this blog entry…


Eish… but good to know that there’s still an alternative available.

Good on Mozilla and the rest for not backing down on unethical behaviour.


Thanks for this, needed an HTTPS cert for my Unifi guest hotspot setup.


LetsEncrypt, with certbot, makes getting and renewing, free certificates pretty trivial. When I needed one it took less than 10 minutes, from downloading certbot, to having it all up and running.


It’s trivial unless your web stack has more than just a single physical web server running a single web server daemon. It took days to make it work with HAProxy + Varnish + Nginx. Using a traditional cert was a trillion times easier than the fucked up hoops you have to jump through and the automation you have to set up.

If StartSSL was still working and not gutted by amoral overseas assholes, I’d vastly prefer to stick with it rather than screw with LE, especially once you realize that for anythign complex you basically need to ditch certbot and use a different acme authentication system, and then you realize that none of them quite do what you want and you need to roll your own.

I’m about to kick HTTP-01 validation to the curb and set up DNS validation, and that’s a whole other fucked up can of worms because you have to do even more insane shit (like allow your LE script to have API-level access to your DNS provider to update the TXT records used for DNS validation).

LE is incredibly simple for a few very specific use cases. Beyond that, it’s almost cripplingly complicated and traditional certs are infinitely easier. But, since I don’t have literally-for-real thousands of dollars to throw away on traditional certs for my domains…LE it is.