Switching from LetsEncrypt to Actalis
ACME SSL Certificates, made in Italy
This is the seventh installment of a series of posts about taking back control of my web presence. In Part 1 I tackle hosting, in Part 2 I do things with DNS. In Part 3 I rediscover Proxmox, in Part 4 I move Mastodon around. In Part 5 I Tunnel All The Things with Pangolin and in Part 6 I sort out where to store code.
As I detailed in my previous posts, I used Let’s Encrypt. But, as the astute reader can see, I’ve been wanting to reduce my dependency on non-European companies.
Let’s Encrypt was not high on the list of things to replace - it’s free, it works and it is a force for good. It being under US jurisdiction felt mildly annoying.
I recently came across Actalis, a company based in Italy that offers a free plan where you can get unlimited SSL certificates for domain validation via ACME.
Switching my stack over was as simple as registering an account and adding this to my Caddy configuration:
1
2
3
4
5
6
email my-email-address@domain.tld
acme_ca https://acme-api.actalis.com/acme/directory
acme_eab {
key_id XxxxxxArihquYoJxxxxxx
mac_key yyyyyyyyKPXMgkkxxxxxxLQaIuGhHQbbbbbb
}
(You’ll find both values in the Actalis console.) 
After reloading Caddy, I got an error: “Obtain: base64-decoding MAC key: illegal base64 data at input byte 43”. A quick search taught me that I had to remove the padding (=) from mac_key.
I also had to update my Certificate Authority Authorization (CAA) DNS records to include issue "actalis.it".
A caddy reload later, my sites were serving Actalis certificates.
