Advantages/Disadvantages over AWS Certificate Manager

[ubergeek42]

Why would people want to use this over the new AWS Certificate Manager(ACM)?

Advantages:

• Available in all regions(ACM is only available in us-east at the moment)
• Validates domains without requiring MX records/email access
• Can configure CloudFront/ELBs with a default SSL setting without user intervention.
• LE supports 100 names per cert, ACM only 20(Less ELBs needed if serving lots of sites)

Disadvantages:

• ACM has 1yr renewals(vs LetsEncrypt's 90 day)
• Requires S3/Lambda(Additional dependencies/very minimal cost)
• Requires Route53 to validate domains for use with ELB
• ACM can be done entirely through their web console

Common Features:

• Support CloudFront/ELB
• Automatic renewal

Edit this issue as new points are made.

[adityamenon]

I think one good point would be the costs associated.

The "simple" HTTPS support for clients that support SNI is free. However for clients that don't support SNI Amazon charges $600 per month.

From http://aws.amazon.com/cloudfront/pricing/

Dedicated IP Custom SSL You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions using the Dedicated IP version of custom SSL certificate support. This monthly fee is pro-rated by the hour. For example, if you had your custom SSL certificate associated with at least one CloudFront distribution for just 24 hours (i.e. 1 day) in the month of June, your total charge for using the custom SSL certificate feature in June will be (1 day / 30 days) * $600 = $20. For other SSL options, please visit the CloudFront Custom SSL detail page.

[aripringle]

Just to expand upon the point about needing to verify ACM certificates over email:

We have a case where we need to add/modify the domains on our cert relatively frequently. ACM is very inefficient for this, because it requires you to re-validate ALL domain names (even sub-domain names) over email, individually, every time you alter the certificate. AWS actually rejected our request to increase the default domain limit from 10 domains, because they thought this would be too inefficient for our use case.

[ubergeek42]

@aripringle that's really interesting to hear. I had somewhat lost motivation for this project when ACM was announced, but it seems there's still a bit of a niche where it's valuable.

Out of curiosity, are you using/considering something like this project?

[aripringle]

@ubergeek42 Yes, we are actively trying to implement this project for our CloudFront distributions (and then maybe ELB if all goes well there). I needed to use the changes in #14 to get things working, and it seems like there could be some enhancements made to error trapping/alerting, but overall I've been very pleased with it (thanks for the work that you've put into it!)

I had initially looked at using letsencrypt-s3front to do this, but it has some outstanding issues with issuing multiple domains on the same certificate, and it doesn't include support for ELBs.