Consider setting the CA server to Buypass by default and leave the option to user to use ZeroSSL

Since Buypass offers a 6-month period of validity for each SSL certificate instead of 3-month, and the only limitation for its certificate is that it does not allow wildcard domain names, which does not violate the restriction that MIAB already applies for itself.

Also ZeroSSL removes some annoy limitations set by Let’s Encrypt thus acme.sh has already set it as its default CA.

What would be the advantage of a longer validity period? I mean, the box automatically renews certificates anyway, so if anything, I see disadvantages in terms of overall security.

And what limitations would that be?

  • Longer validity period means lower requirement on renewal frequency. In case of accidentally disconnection between the box and the CA server or any other accident leading to failure of renewal of certificates, longer validity always brings better coverage thus advantage instead of disadvantage in my point of view.
  • The frequency in issuing/renewal of 5 times per week. In some, if not many, cases we may need greater frequency than that. Removal of such limitations brings convenience, again, in my point of view, and that’s why acme.sh set ZeroSSL as their default CA, such decision had been made due to their statistical research I guess.

MiaB is an email server, and in its default configuration it’s also the authoritative nameserver for your domains, meaning if your box doesn’t have a reliable Internet connection, you will run into other serious issues long before your certificates will expire. :wink:

I have a hard time thinking of any use cases for a MiaB server where 5 checks per week and actual renewal attempts starting 1 month before expiration would not be sufficient, but I guess having more options is generally a good thing. However, I’m certainly not in favor of changing the default.

I don’t know the actual reason for their decision, but acme.sh is a general-purpose acme client, and therefore needs to be able to cover many more use cases than MiaB, and in some edge cases the limitations of Let’s Encrypt may indeed be a problem. But for MiaB, I really don’t see how those limitations would matter.

However, if it is important to you, you may want to open a feature request on GitHub, or maybe even implement the addition yourself and then submit a pull request…

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.