Buypass is a Certificate Authority (CA) based on Europe. It offers free SSL certificates with a validity of 180 days. Unlike LetsEncrypt, Buypass CA also offers paid SSL too. So, it is neither a competitor to LetsEncrypt, nor it is a nonprofit. It is a for-profit company that also offers free SSL certificates. There are other CAs that offer free SSL certificates too. However, Buypass CA offers ACME API that is compatible with LetsEncrypt. For example, certbot can be used to authenticate the domain and obtain free SSL certificates.
Certbot is the recommended tool / client-side software. However, the procedure for test certificates and live certificates are slightly different, if you have used LetsEncrypt previously.
Here’s the procedure to get started with Buypass CA using certbot…
sudo certbot register --server 'https://api.test4.buypass.no/acme/directory'
The above command would do the following…
- ask for your email
- option to agree or disagree with the terms of service
- an option to share your e-mail address with EFF
If you would like to shorten this long process, you may use the following one-liner, replacing ‘YOUR_EMAIL’ with your actual email address…
sudo certbot register -m 'YOUR_EMAIL' --no-eff-email --agree-tos --server 'https://api.test4.buypass.no/acme/directory'
Once the email is registered, we are free to test drive the domain authentication and fetching the test SSL certificates by running the following command…
sudo certbot certonly --webroot -w /var/www/example.com/public_html/ -d example.com -d www.example.com --server 'https://api.test4.buypass.no/acme/directory'
Please know that the test certificates can not be used on live sites.
The above command issues real certificates for testing purpose, even though the test certificates cant’ be used on live domains. Since, the test certificates are real, we have to remove them before fetching live SSL certificates for live domains. We can remove the test SSL certificates using the following command and selecting correct options when prompted…
sudo certbot delete
Output of the above command would look something similar to the following…
Saving debug log to /var/log/letsencrypt/letsencrypt.log Which certificate(s) would you like to delete? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: tinywp.dev - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
Please be careful on selecting the correct certificates to delete. If you hit “Enter” key without reading the above, you are likely to lose all the certificates listed in it, including the live SSL certificates, if any. If everything goes well, it is time to go live.
Obtaining Live Certficates
Once testing is successful, obtaining the live certificates is likely to go through as expected. The only difference between the test and live environment is the server URL. For live environment, Buypass CA uses “https://api.buypass.com/acme/directory”.
While the advantage of using Buypass CA is in the extended validity, compared to LetsEncrypt, there are a few limitations…
- The free Go SSL certificates from Buypass CA doesn’t allow wildcard. It doesn’t mean wildcard isn’t supported at all. Wildcard is a paid product from Buypass CA.
- Total number of domains that we can attach to a single SSL certificate is limited to only two (enough for 99% of the sites on the internet). So, it can easily cover the bare / root domain example.com and the www version www.example.com.
- There is no dry-run. As seen earlier, the testing process is bit complicated than LetsEncrypt where we can do “dry-run” of authentication. However, with Buypass CA, we authenticate the domain/s, and then fetch test SSL certificates that need to be deleted before fetching the live SSL certificates.
Switching from LetsEncrypt
Switching from LetsEncrypt isn’t hard. Delete the existing certificate and do the above steps. If you ever go wrong, you can always go back and re-issue a free SSL certificate from LetsEncrypt.
Overall, SSL certificate with 180-days validity is the main reason to go with Buypass Go SSL. Also, if you are a person like me who doesn’t always depend on a single entity (even it means nonprofit), then this is a real alternative to LetsEncrypt. Compatibility with ACME API makes it easier to switch from existing LetsEncrypt installations where only the bare domain and www version need to be covered under HTTPS.