xf.is Blog   Archives  About

Buypass: free alternative to Let's Encrypt certificates

2018-07-08

A Norwegian certificate authoritiy Buypass offers free 180 days certificates using the brandname “Buypass SSL Go”.

The certificates are issued by Buypass Class 2 CA 5 and chain up to Buypass Class 2 Root CA

They use the same ACME v1 protocol as Let’s Encrypt so in theory most ACME clients should work by changing the directory url.

The ACME directory url for Buypass is: https://api.buypass.com/acme/directory

Using certbot you can use

certbot register \
-m 'cert@contoso.com' \
--agree-tos \
--server 'https://api.buypass.com/acme/directory'

certbot certonly \
--webroot \
-w /var/www/html/ \
-d contoso.com \
--server 'https://api.buypass.com/acme/directory'

and you have a free certificate valid for 180 days. Let’s Encrypt certificates are only valid for 90 days by comparison.

Renew with the usual command in crontab:

certbot -q renew --post-hook "systemctl reload nginx"

My first try with Buypass ACME failed because they don’t follow http to https redirect. Fixed by add the following into the port 80 block:

location /.well-known {
	default_type "text/plain";
	root /var/www/html;
}
location / {
	return 301 https://www.xf.is$request_uri;
}

instead of plain redirect.

When browsing the certificate transparency log for Buypass Class 2 CA 5 it seems they haven’t yet issued many certificates from this CA.

I’m excited to see a alternative to Let’s Encrypt because if anything happends to them (currently 65% market share) it would have ripple effect on the internet.

Shout out to Buypass for excellent service!