Single post
jump to repliesWhat the actual fuck, #LetsEncrypt‽
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026.
That makes them unusable for SMTP servers. Gah!
Anyone got a usable alternative that doesn’t ruin financially?
Update: I’m in communication with them, let’s hope they recognise the usefulness.
Update 2: turns out it’s Google forcing this down the throat of all CAs that want to be recognised by Chrome as valid. I’m sure Google only accidentally decided on a new policy that breaks some SMTP and probably all XMPP use cases… 🤬
1 visible reply; 2 more replies hidden or not public
back to top@mirabilos
I use #zerossl for my web and mail servers.
I no longer use certbot but acme.sh to generate certificates.
ZeroSSL is the default CA for https://acme.sh/
edit: I fall back to letsencrypt when I need a wildcard cert such as *.domain.tld