There are other free ACME-based providers, so switching should be fairly painles...

Animats · 2025-12-15T20:41:09 1765831269

You can have more than one CAA record, so it should be possible to configure backup certificate authorities. It's probably a good idea to do that for important sites.

gethly · 2025-12-15T21:33:10 1765834390

Name one, baseide the NSA run Cloudflare.

madeofpalk · 2025-12-15T21:38:21 1765834701

ACME https://guide.actalis.com/ssl/activation/acme

Google https://pki.goog/

SSL.com https://www.ssl.com/blogs/sslcom-supports-acme-protocol-ssl-...

ZeroSSL https://zerossl.com/documentation/acme/

I don't actually think Cloudflare runs an ACME Certificate Authority. They just partner with LetsEncrypt? Edit: Looks like they don't run any CA, they just delegate out to a bunch of others https://developers.cloudflare.com/ssl/reference/certificate-...

gethly · 2025-12-15T22:19:06 1765837146

Those are just providers that support the ACME protocol, not free certificate providers.

teraflop · 2025-12-15T22:26:23 1765837583

Google and ZeroSSL both provide free certificates via ACME. The links posted above have more details.

bigbuppo · 2025-12-15T22:07:10 1765836430

Doesn't matter. This is a push by the CA/Browser Forum. Google, Mozilla, and all the CAs got together and said, "hey, what if we just made certificates shorter because we're too stupid to figure out a revocation mechanism that actually works other than expiration." They've tried this shit before, but saner heads prevailed. This time they did not.

tptacek · 2025-12-15T22:10:18 1765836618

Shorter lifetimes strongly push customers towards ACME and thus away from commercial CAs, so it's odd to suggest that CAs subverted this process.

ekr____ · 2025-12-15T22:21:36 1765837296

Mozilla does have a revocation mechanism that actually works.

https://hacks.mozilla.org/2025/08/crlite-fast-private-and-co...