Buypass Discontinues Issuance of TLS/SSL Certificates
45 comments
·August 25, 2025yogorenapan
Beyond the big players like Digicert, I'm surprised smaller companies have survived LetsEncrypt for this long. They mentioned it in this post ad well, most are moving towards free providers. I wonder if we'll see more shutting down in the next few years. One thing I think they could compete on is validity period as LetsEncrypt keeps lowering theirs
o_m
Shouldn't we be worried about the internet being centralized to depend on LetsEncrypt? Imagine the shit show if the US government stopped LetsEncrypt from issuing certificates to every country outside of the US.
rvnx
They will not stop Letsencrypt abroad, it is clearly an asset for the US gov, the same way that Cloudflare is a worldwide MITM, it would be absurd to shut it down.
If you are a letsencrypt user, then it is nearly impossible to see (even with CT logs) that there was a malicious interception. From a website operator it looks like a pretty standard renewal as Letsencrypt has a short validity duration anyway.
Add on top of that in the US they have access to easy and non-BGP entry points to reroute traffic (Google DNS, Cloudflare DNS).
They can intercept in practice all Cloudflare and all Letsencrypt sites (except the Letsencrypt they also need cooperation of a friendly DNS and have a very theoretical little risk to get caught in CT logs).
Big sites like Meta or Google or Amazon already have to cooperate and intercept internally so in practice almost all western internet is interceptable rather easily.
There is zero world where US gov would want to stop that.
The tech guys working for the NSA are from being idiots, and it would be insulting to even consider that. They would fight to protect Letsencrypt
hdgvhicv
> They will not stop Letsencrypt abroad, it is clearly an asset for the US gov, the same way that Cloudflare is a worldwide MITM, it would be absurd to shut it down.
That’s does not mean they wouldn’t shut it down.
actionfromafar
Good thing they never do any absurd things nowadays.
ayende
Sure you can, you know what your public key _should_ look like
darkwater
I think we should, as we should every time there is one single big player.
Obviously the ACME protocol is open but currently there are just 5 "free" providers using it (3 from the US and 2 from EU) and nothing blocks anyone to have a US adversary implementing a Letsencrypt-like issuer. Although I have some doubts on whether that CA would get global trust in every browser. Is the Browser Forum following US sanctions? Can a CA managed by the Cuban or Iranian government enter the CA list trusted by Chrome, Safari or Firefox? I'm genuinely asking.
matharmin
Luckily there are still other options out there. ZeroSSL is one I quite like: Free ACME-based certificates just like LetsEncrypt, without the rate limits, and does have paid plans if you need support. It also has better legacy client compatibility than LetsEncrypt as far as I know.
mattashii
I hope that ZeroSSL has improved their policies and procedures in the past years so they're more safe and robust. Four and a half years ago, there were some significant oversights in certificate lifecycle management, TOS, and handling of key material, which needed external parties to notify them of those issues before they fixed them. To me that was an indication of limited awareness of WebPKI and security principles.
See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1698936, https://bugzilla.mozilla.org/show_bug.cgi?id=1699756
Bad_CRC
I was just trying buypass for exactly that reason when I found out that they are ending it :(
michaelt
I'm kinda worried, personally.
The CA/Browser Forum gets to set requirements for anyone who wants to run a website. If they decide website operators should renew their certificates monthly, website operators don't much choice in the matter.
I worry that some day members of the forum will realise how much power that actually is. If there's a trade embargo on Country A, or a genocide going on in Country B, that perhaps 24-month certificates aren't the only sin they should use their power to correct.
makkes
From what I can see on the CA/Browser Forum's website (https://cabforum.org/about/membership/members/), there is enough diversity in the forum to represent the Web community as a whole. Trade embargoes issued by a single country would likely not be represented by enough CA/B members to be pushed through the Forum.
I personally sleep much better knowing that e.g. all major browser vendors cooperate on the CA/B (and elsewhere, e.g. the IETF, W3C, ECMA) instead of the biggest one dictating the rules (which, to be fair, happens to a certain degree, e.g. with Chrome leading the way for certain technologies).
nubinetwork
Everyone said that about cloudflare, and nothing has changed on that front.
fpoling
The validity of any certificate by 2029 will be reduced to 47 days.
The only way to compete with LetsEncrypt and other free providers would be on futures, like unlimited number of renewals and guaranteed reliability.
kedihacker
Support would be a big part of the enterprise and smaller ones pie but at 47 days everything would be integrating acme protocol so rough times ahead
Kwpolska
Browsers also keep lowering the maximum validity period: https://www.theregister.com/2025/04/14/ssl_tls_certificates/
nickf
Not just browsers, CAs voted in favour too.
michaelt
To me, this seemed like turkeys voting for Christmas.
Plenty of businesses with legacy systems will happily pay $300/year for a 1-year SSL certificate, because they haven't automated renewal, and don't need to over a mere $300. This lets for-profit CAs provide something Lets Encrypt doesn't offer.
I don't get why they'd give up their one competitive benefit? Surely every customer of a paid CA is an organisation that hasn't automated certificate rotation?
zenmac
And DTLS support. Last I checked, LetsEncrypt has issues with DTLS for webrtc. Don't know if it is still the case.
hdgvhicv
I’ve been saying that for years, but HN loves single points of failure because half the people here fantasise about building the next SPOF they can extract rents from
attentive
they now also compete with aws $15/year certs
jwr
Happy to see this, to be honest. Selling SSL certificates was always a borderline scammy business — the companies provided barely any added value, their websites were terrible, buying certificates was always a pain, and one always had to fight through various upsells (usually with no value at all).
skrause
Buypass was one of the free alternatives to Let's Encrypt that also supported the ACME protocol and even gave you 180 days validity.
ninjin
Indeed, I had just started using them at that. No account needed, you just needed to set your contact to "mailto:$EMAIL" and get on with your day. Was nice to use them for a few domains so as to make sure I had a more diverse set of tried and tested issuers, with bonus points to Buypass for being outside the US as well (Norway).
bruce511
I've been around long enough to remember when getting a website was really expensive. Like hundreds of thousands of $.
TLS was expensive. And insanely profitable. The sale of Thwate to Verisign was north of 600 million. (Back when 600 million was "a lot"). Since the marginal cost of making a cert is zero it was a literal cash machine.
LE broke that cash flow. CAs tried to claim their certificates were "safer" or the EV certs had any value at all. All nonsense, but for a while some layer of IT folk bought into that. Even today some of my clients believe that paid-for-certs are somehow different to free-certs. But that gravy train is rapidly ending.
So yeah, once the fixed costs overwhelm the income expect to see more shutdowns. And naturally the small CAs will die first.
I can't say I'll mourn any of them.
V__
But aren't there some differences? LE doesn't verify identitiy. Though I'm not saying that the big CEs are that thorough.
Kwpolska
Browsers stopped prominently showing the identities in EV certificates long ago. There is zero value in paying for a TLS certificate.
Telemakhos
I remember many moons ago, like the Netscape era, when companies that paid for EV certs got special icons and a green address and all sorts of browser indications of trustworthiness.
I just tried my (large, international) bank website in the latest Safari, and I can't even figure out how to view the cert. There's an assumption that every site will have some cert, but no special treatment for EV certs at all.
nailer
That’s true. It’s a bit of a self fulfilling prophesy: the browsers didn’t present a meaningful verification UI, then removed the UI because users didn’t find it meaningful.
Steak isn’t delicious because, after I pee on it, people dislike the taste.
The concept of matching an real world identity to a public key is very much intact outside the browser world.
bruce511
Whether the CA verifies identity or not is irrelevant. Since the end user does not see the certificate they are all functionally equivalent.
And yes, the actual quality of the identity check is debatable but since nobody cares the utility of it is zero.
For example- when was the last time you checked the certificate details of a web site? Have you ever left a site because you felt the certificate didn't verify identity?
dark-star
I have been helping individuals and small businesses set up websites since the 90s. At no point in time getting a website cost "hundreds of thousands of $"
Hundreds? Sure. Thousands? maybe, if you wanted a rare/expensive domain name. But hundreds of thousands? No way
abujazar
Kind of concerning they're not keeping TLS cert issuance even if only for the brand. Let's Encrypt is great, but it would be unfortunate if it ended up as a de facto monopoly.
webprofusion
For info, here is a list of some of the current ACME enabled CAs, not counting the purely commercial/enterprise gang: https://acmeclients.com/certificate-authorities/
webprofusion
For those looking to migrate, Let's Encrypt and Google Trust Services are my current favorite picks. ZeroSSL is ok but their ACME API status has been patchy recently and I'm a little worried about them.
bapak
> "From a sysadmin and operations perspective: What a stupid change. In the perfect cloud native, fully automated fantasy land, this might work and not even generate that much overhead work. In the real world, this will generate lots of manual work. At least, until folks replace their legacy hardware and manufacturers patch their shit."
Give me a break. This is your literal job description, something you should be able to do blind.
If any random FE developer can put a proxy in front of their servers so can you.
portaouflop
Wrong thread?
Bought by Private Equity [TSS] <1y ago[0].
> Buypass AS has a new owner. Total Specific Solutions (TSS) took over ownership with effect from October 16, 2024.
[0]: https://www.buypass.com/news/change-of-ownership-in-buypass-...