Show HN: Anchor Relay – A faster, easier way to get Let's Encrypt certificates (opens in new tab)

(anchor.dev)

80 pointsgeemus7mo ago57 comments

From the cryptic terminal commands to the innumerable ways to shoot yourself in the foot, I always struggled to use TLS certificates. I love how much easier (and cheaper) Let's Encrypt made it to get certificates, but there are still plenty of things to struggle with.

That's why we built Relay: a free, browser-based tool that streamlines the ACME workflow, especially for tricky setups like homelabs. Relay acts as a secure intermediary between your ACME client and public certificate authorities like Let's Encrypt.

Some ways Relay provides a better experience:

  - really fast, streamlined certificates in minutes, with any ACME client
  - one-time upfront DNS delegation without inbound traffic or DNS credentials sprinkled everywhere
  - clear insights into the whole ACME process and renewal reminders

Try Relay now: https://anchor.dev/relay

Or read our blog post: https://anchor.dev/blog/lets-get-your-homelab-https-certifie...

Please give it a try (it only takes a couple minutes) and let me know what you think.

57 comments

xmprt7mo ago

I'm sure some people would find this useful but forgive me if I'm not ready to hand away my security to some unknown third party company. I don't know the first thing about CAs but Let's Encrypt really isn't that difficult to understand.

weddpros7mo ago

There's a scale beyond which the real challenge isn't issuing a certificate.

I see organisations with thousands of SSL certificates, and their struggle is real. Even reputable companies with huge teams have their certificates expire or served badly. Some serve expired certificates for years!

Plus, enterprise alternatives are extremely costly and rigid.

tenuousemphasis7mo ago

All the more reason to automate renewing of certificates.

1 more reply

michaelt7mo ago

I believe the intent here is:

* If you want an SSL certificate for, say, your printer

* And you don’t want to expose your printer’s port 80 to the public internet because you’re not stupid

* And you don’t want to put your DNS credentials onto your printer either, because again, you’re not stupid

* And you don’t want to pay for a certificate with a longer validity, because it’s a home printer, so you’re stitch with monthly cert rotations

* And you’ve embraced the reality that one can delegate SSL not just to CAs, but also to other third parties. Usually the likes of AWS & cloudflare - but why stop there?

Then this product is what you need!

eternauta3k7mo ago

Why not sign it yourself?

1 more reply

weddpros7mo ago

I think it's more a matter of scale. If you need SSL certificates for hundreds of appliances and you want to manage it, rather than hack it, that's the product you need.

unsnap_biceps7mo ago

Are there any printers that actually run acme where this is even a consideration?

toast07mo ago

> * If you want an SSL certificate for, say, your printer

Ummmm why does my printer need a certificate?

3 more replies

geemusOP7mo ago

We take security very seriously, which is why we designed Relay to work so that we never have to see your encryption keys. If Let's Encrypt is working well enough for you, that's great, but we've also heard about rough edges that people struggle with so we are trying to help them out.

8organicbits7mo ago

EFF has a great write up of the 'validation domain CNAME' approach this uses. It's great to see another entry in this space. As great as ACME is, there are still sharp edges we can improve with tricks like this.

https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

bobbob19217mo ago

I’ve never understood why there isn’t an easy way (ie that never expires) to use certificates or otherwise encrypt communications. I’m mainly referring to unique or internal use cases where the complications around certificates expiring has made it so that those communications end up unencrypted (SSL disabled). I guess what I’m saying is I’ve come across many cases where even bad encryption is better than plaintext, yet plaintext has to get used because of some element of certificates expiring needs renwal. Even bad or easy to crack encryption is better than plain text, yet I totally get why many scenarios end up using plain text (i’m talking in an internal or home lab type set up). I understand why public facing certificates need renewals

weddpros7mo ago

You could see expiring certificates as a chance to examine your security regularly: protocols and ciphers change, bugs are fixed, vulnerabilities are discovered and fixed.

Setup and forget is never good for security. From what I see with sslboard.com (I'm the founder), all hosts serving old expired certificates also have bad TLS versions and ciphers (RC4, DES) and vulnerabilities.

cortesoft7mo ago

> I guess what I’m saying is I’ve come across many cases where even bad encryption is better than plaintext

Where is this? Why would bad encryption be better than plaintext? I can't imagine a scenario where this is the case.

8organicbits7mo ago

Email is a great example of this. There's a bunch of complications like the 'to address' not matching the MX record, the MX record being served without DNSSEC, and a history of self-signed certificates. Unless you do something special you're likely transmitting email using TLS without validating the certificate.

This is strictly better than plaintext as a passive eavesdropper cannot listen in; an active attack is needed.

I wrote much more here: https://alexsci.com/blog/is-email-confidential-in-transit-ye...

1 more reply

teraflop7mo ago

For an internal use case, nothing's stopping you from setting up your own CA, creating certificates that don't expire for 100 years, and telling your clients to trust them. It just takes a couple of OpenSSL commands which, while slightly complicated if you don't know what you're doing, can be easily automated with a shell script.

The browser limits on maximum certificate lifetimes only apply to the public web PKI, not to CAs that you configure yourself.

dns_snek7mo ago

You don't even need to remember any OpenSSL commands. I manage all of my home certificates using XCA GUI.

When creating your CA certificate you can hop into the Advanced tab and add the following line to constrain it to specific domains. This eliminates the risk of your likely-poorly-secured CA being abused to MITM all of your communications:

        nameConstraints=critical,permitted;DNS:.home.internal

This will only allow CA to sign certificates for *.home.internal. I think browser support for nameConstraints is pretty good these days but some clients might not be compatible and you can always install a CA certificate without this extension on devices that don't support it.

op00to7mo ago

Modern web browsers have started distrusting certificates over a certain lifetime. So annoying!

codegeek7mo ago

Or just use caddy as a reverse proxy [0]. This 1 line will do it all for you:

    myawesomedomain.com {
         respond "You just loaded this on https"
    }

[0] https://caddyserver.com

Cockbrand7mo ago

I only recently got into Caddy after using Apache and later Nginx for decades, and it's almost disappointing how little configuration it needs. It's very refreshing that we finally have a web server that needs hardly any fiddling with b/c it has nicely sane and comprehensive defaults.

codegeek7mo ago

Once you go Caddy, you never go back to Nginx and Apache.

princevegeta897mo ago

+1 to Caddy - Another happy user that stopped caring about managing SSL certs 3 years ago.

aeaa37mo ago

Does this means that you have the ability to

a) impersonate the identities of your users and b) decrypt the SSL traffic of your users

benburkert7mo ago

It does not.

Anchor never see sees your private keys for certificates.

We hold an ACME account key on your behalf with the CA, but we cannot use it impersonate your domain or decrypt traffic.

We have a more technical overview of how this works in our docs: https://anchor.dev/docs/public-certs/acme-relay

hannob7mo ago

> We hold an ACME account key on your behalf with the CA, but we cannot use it impersonate your domain or decrypt traffic.

That makes no sense whatsoever. If you have an ACME account key for my domain, of course you can use it to impersonate my domain. You just need to create another certificate. (Which I could detect, but if I know how to do that, I'm probably not going to need your service anyway.)

masfuerte7mo ago

If users delegate their DNS to you, what's stopping you issuing a certificate to yourself for their site?

2 more replies

nodesocket7mo ago

I'm a bit confused the benefits? Caddy already makes Let's encrypt incredibly easy. I use the CloudFlare DNS provider, so don't even need to expose port 80 for http verification.

cortesoft7mo ago

I am pretty sure the main purpose is for people who use a DNS provider that does not have integrated support with certbot or cert-manager (basically this is a hosted acme dns (https://github.com/joohoi/acme-dns)

bananapub7mo ago

for everyone willing to put a tiny amount of effort in, you can just:

1. Install acme-dns somewhere

2. Point part of your domain to that

3. Use lego or caddy or whatever to get certs using dns-01

No need to pay some dude who can then forge certs for your domain.

cortesoft7mo ago

Every single SAAS product faces this criticism. You can always do it yourself, but if some people don't want to, I don't think it is bad to offer a hosted version.

NoahZuniga7mo ago

Your site doesn't work. The right arrow button is always disabled

benburkert7mo ago

sorry about that! mind sharing what domain name (or something similar that also doesn't work) & what browser you used?

mano787mo ago

iOS safari

traceroute667mo ago

Oh dear.

I'm sorry. But do you really need to re-invent the wheel yet again ?

Go to the Let's Encrypt website, there is a whole page of client implementations[1].

What makes yours better than, for example, `lego` or `caddy` or `step` ?

All of which are easy to use, come with sensible defaults and do not provide you with "innumerable ways to shoot yourself in the foot".

And for people who really can't use Let's Encrypt because "its difficult", there are still all the old-school, well-established, commercial CA's out there who will hold your hand in return for a few dollars.

[1] https://letsencrypt.org/docs/client-options/

cortesoft7mo ago

I haven't fully looked into it, but it seems to me that this is basically a hosted version of Acme-dns (https://github.com/joohoi/acme-dns)

The point of acme-dns is for people who 1) need to use DNS validation because they don't have an externally accessible web server or need a wildcard cert and 2) either use DNS providers that don't provide API support or whose API support has not been integrated into their tool of choice like cert-manager or certbot.

I have had to use ACME-DNS for that reason, and I don't think it is a horrible business to try to offer that as a service. I don't think I would use it (since acme-dns isn't that hard to set up and I am familiar with it), but I could imagine other people might want to.

benburkert7mo ago

We don't think of it as reinventing the wheel since it works with all existing RFC compliant ACME clients without needing a plugin. You can use lego, caddy, certbot, cert-manager, or whichever ACME client you prefer.

ACME is great and it's certainly an improvement over the legacy CA alternatives. But there's also some rough edges that we think can be streamlined.

natewww7mo ago

cool idea

j / k navigate · click thread line to collapse

57 comments

xmprt7mo ago

weddpros7mo ago

There's a scale beyond which the real challenge isn't issuing a certificate.

Plus, enterprise alternatives are extremely costly and rigid.

tenuousemphasis7mo ago

All the more reason to automate renewing of certificates.

1 more reply

michaelt7mo ago

I believe the intent here is:

* If you want an SSL certificate for, say, your printer

* And you don’t want to expose your printer’s port 80 to the public internet because you’re not stupid

* And you don’t want to put your DNS credentials onto your printer either, because again, you’re not stupid

* And you don’t want to pay for a certificate with a longer validity, because it’s a home printer, so you’re stitch with monthly cert rotations

* And you’ve embraced the reality that one can delegate SSL not just to CAs, but also to other third parties. Usually the likes of AWS & cloudflare - but why stop there?

Then this product is what you need!

eternauta3k7mo ago

Why not sign it yourself?

1 more reply

weddpros7mo ago

I think it's more a matter of scale. If you need SSL certificates for hundreds of appliances and you want to manage it, rather than hack it, that's the product you need.

unsnap_biceps7mo ago

Are there any printers that actually run acme where this is even a consideration?

toast07mo ago

> * If you want an SSL certificate for, say, your printer

Ummmm why does my printer need a certificate?

3 more replies

geemusOP7mo ago

8organicbits7mo ago

https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

bobbob19217mo ago

weddpros7mo ago

You could see expiring certificates as a chance to examine your security regularly: protocols and ciphers change, bugs are fixed, vulnerabilities are discovered and fixed.

cortesoft7mo ago

> I guess what I’m saying is I’ve come across many cases where even bad encryption is better than plaintext

Where is this? Why would bad encryption be better than plaintext? I can't imagine a scenario where this is the case.

8organicbits7mo ago

This is strictly better than plaintext as a passive eavesdropper cannot listen in; an active attack is needed.

I wrote much more here: https://alexsci.com/blog/is-email-confidential-in-transit-ye...

1 more reply

teraflop7mo ago

The browser limits on maximum certificate lifetimes only apply to the public web PKI, not to CAs that you configure yourself.

dns_snek7mo ago

You don't even need to remember any OpenSSL commands. I manage all of my home certificates using XCA GUI.

        nameConstraints=critical,permitted;DNS:.home.internal

op00to7mo ago

Modern web browsers have started distrusting certificates over a certain lifetime. So annoying!

codegeek7mo ago

Or just use caddy as a reverse proxy [0]. This 1 line will do it all for you:

    myawesomedomain.com {
         respond "You just loaded this on https"
    }

[0] https://caddyserver.com

Cockbrand7mo ago

codegeek7mo ago

Once you go Caddy, you never go back to Nginx and Apache.

princevegeta897mo ago

+1 to Caddy - Another happy user that stopped caring about managing SSL certs 3 years ago.

aeaa37mo ago

Does this means that you have the ability to

a) impersonate the identities of your users and b) decrypt the SSL traffic of your users

benburkert7mo ago

It does not.

Anchor never see sees your private keys for certificates.

We hold an ACME account key on your behalf with the CA, but we cannot use it impersonate your domain or decrypt traffic.

We have a more technical overview of how this works in our docs: https://anchor.dev/docs/public-certs/acme-relay

hannob7mo ago

> We hold an ACME account key on your behalf with the CA, but we cannot use it impersonate your domain or decrypt traffic.

masfuerte7mo ago

If users delegate their DNS to you, what's stopping you issuing a certificate to yourself for their site?

2 more replies

nodesocket7mo ago

I'm a bit confused the benefits? Caddy already makes Let's encrypt incredibly easy. I use the CloudFlare DNS provider, so don't even need to expose port 80 for http verification.

cortesoft7mo ago

bananapub7mo ago

for everyone willing to put a tiny amount of effort in, you can just:

1. Install acme-dns somewhere

2. Point part of your domain to that

3. Use lego or caddy or whatever to get certs using dns-01

No need to pay some dude who can then forge certs for your domain.

cortesoft7mo ago

Every single SAAS product faces this criticism. You can always do it yourself, but if some people don't want to, I don't think it is bad to offer a hosted version.

NoahZuniga7mo ago

Your site doesn't work. The right arrow button is always disabled

benburkert7mo ago

sorry about that! mind sharing what domain name (or something similar that also doesn't work) & what browser you used?

mano787mo ago

iOS safari

traceroute667mo ago

Oh dear.

I'm sorry. But do you really need to re-invent the wheel yet again ?

Go to the Let's Encrypt website, there is a whole page of client implementations[1].

What makes yours better than, for example, `lego` or `caddy` or `step` ?

All of which are easy to use, come with sensible defaults and do not provide you with "innumerable ways to shoot yourself in the foot".

[1] https://letsencrypt.org/docs/client-options/

cortesoft7mo ago

I haven't fully looked into it, but it seems to me that this is basically a hosted version of Acme-dns (https://github.com/joohoi/acme-dns)

benburkert7mo ago

ACME is great and it's certainly an improvement over the legacy CA alternatives. But there's also some rough edges that we think can be streamlined.

natewww7mo ago

cool idea

j / k navigate · click thread line to collapse