So ... I had switched over to LetsEncrypt certs a few years ago, and built some automation around certbot for updates. This worked well, when the site was basically a few servers which never changed.
Fast forward to this year, in revamping the blog, and incorporating locally hosted comments versus a disqus or similar system, I ran smack into the "you don't have a wildcard cert, so you can't just create new sites without adding complexity to your ducktape and good-wishes infrastructure". Yeah, it was a hack, from when certbot and letsencrypt were much younger.
The big issue was that I needed the DNS type of challenge. And my DNS server itself is not API driven, so I needed to use a secondary server for this. Happily, the ACME system has a specialized DNS server controllable over a REST interface. So I set that up. Letsencrypt seemed to not work with this setup, so I played with the others. LE really didn't want to enable a wildcard ssl, or maybe it was certbot that was the issue. I was tired with fighting with bad/broken code, and moved to acme.sh.
After fighting with it for a while, I was able to get it to get to the point where it was successful at authenticating my request for a wildcard cert. And then it failed.
Ok.
Work the problem.
Logging into the account I created at that site, I noticed that in the free account that I'd set up, that wildcard was not supported, unless I paid for it. Fair enough, as there ain't no such thing as a free lunch. So I looked at the pricing ...
... and was blown away at how expensive this was.
I don't monetize this blog or any of my sites. I do not accept and publish no advertisements. It is a cost center for me. And the price they wanted to charge for what I wanted (simple wildcard ssl cert), is well beyond what I would consider acceptable.
So I looked around, and found similar costs (within factors of 1/2 to 2x). Finally I looked back at a provider I used many years ago. SSLmate. Their pricing was reasonable. They don't seem to use acme, but their tooling works quite well.
Took me about 10 minutes to do this.
10 minutes.
The whole reason I didn't post over the last 2 months was that I was fighting with the wildcard cert stuff in my spare time.
10 minutes.
Ok. A bit more updating, and here we are.
Why did I need to do this? Because the comments section didn't have a cert, certbot infra I'd built frankly was terrible, acme.sh was much better, but the hidden catch of the costs for what I wanted was well more than I wanted.
So, there's that. More about the comments in the next post.