Switching From Let's Encrypt to Actalis

Posted on

In my ongoing efforts to reduce the reliance on US companies and services, I decided from Let’s Encrypt to the Italian Actalis. Sure, Let’s Encrypt works fine, is non-profit and had a huge impact on today’s internet security, but nonetheless it is still US based and required to comply with US law and government requests. This could also include breaking the chain of trust for certificates while prohibiting to share this information with the public.

Actalis, on the other hand, complies to European laws, regulations and standards.

I operate a Kubernetes cluster with cert-manager and DNS01 challenges. Actalis provides these too, making the switch fairly easy.

  1. Create an Actalis account.
  2. Copy your ACME Key ID and the HMAC.
  3. Create a new secret in Kubernetes with these values.
  4. Create a new Issuer or ClusterIssuer in Kubernetes, referencing the secret created in step 3.
  5. Reference the new issuer in your Certificate resources.
---
apiVersion: v1
kind: Secret
metadata:
  name: actalis-eab
  namespace: cert-manager
stringData:
  # no trailing `=` in the HMAC
  hmac: "$YOUR_HMAC"

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: actalis-prod
spec:
  acme:
    email: "$YOUR_EMAIL"
    server: https://acme-api.actalis.com/acme/directory
    privateKeySecretRef:
      name: actalis-dns01-account-key
    externalAccountBinding:
      keyID: "$YOUR_KEY_ID"
      keySecretRef:
        name: actalis-eab
        key: hmac
    solvers: # if you are switching, just keep it as is
      - dns01: # due to my setup only DNS01 challenges make sense
          cloudflare:
            apiTokenSecretRef:
              name: cloudflare-credentials
              key: api-token

Perfect, now we’ve got Actalis set up and we can start issuing certificates.

But there is one downside: Actalis does not support multiple domains per certificate in the free plan. Splitting these into multiple certs and secrets does solve this fairly easily though.

I understand if this is a deal breaker for some, but in the end, these are just a few lines that are simple and easy to maintain.

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: first-domain
spec:
  secretName: first-domain-tls
  issuerRef:
    name: actalis-prod
    kind: ClusterIssuer
  dnsNames:
    - first.domain # only one dns name supported
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: second-domain
spec:
  secretName: second-domain-tls
  issuerRef:
    name: actalis-prod
    kind: ClusterIssuer
  dnsNames:
    - second.domain # and here is the second one
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: both-domains
spec:
  # here we need to supply both certs
  tls:
    - secretName: first-domain-tls
      hosts:
        - first.domain
    - secretName: second-domain-tls
      hosts:
        - second.domain
  # the rules stay untouched
  rules:
    - host: first.domain
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service-http
                port:
                  name: http
    - host: second.domain
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service-http
                port:
                  name: http

And that’s it! For more services and ideas you could get rid of big tech and the US, check out Sovereignity.