
Our First Certificate Is Now Live - joshmoz
https://letsencrypt.org/2015/09/14/our-first-cert.html
======
Someone1234
This is a tiny bit odd. So they have issued their first certificate, but they
don't have cross-signing in place yet? So between now and november 16th
they'll be issuing a whole bunch of effectively broken certificates unless
people manually install their root CA?

Why even push this today if you don't have cross-signing available? Without
that Let's Encrypt is effectively broken out of the box.

PS - I actually like Let's Encrypt and the work they're doing. I will be all
queued up when they go live to grab one (and, yes, will put my money where my
mouth is and donate). But doing this today without cross-signing seems
strange.

~~~
toomuchtodo
Baby steps. This is a huge step forward, and I'm willing to cut them some
slack considering they're about to shake up an entire industry.

EDIT: Kudos everyone working on Let's Encrypt. You're doing awesome work.

~~~
ErikRogneby
For real. This is so damn awesome I feel like letting out a Howard Dean like
yell.

------
jonknee
It's amazing that it takes a free provider to make things simple:

[https://letsencrypt.org/howitworks/](https://letsencrypt.org/howitworks/)

I'd actually pay more than I do now for SSL certs to get that kind of
simplicity.

~~~
nailer
I run [https://certsimple.com](https://certsimple.com): we only do EV
certificates, we're the fastest place to get an EV cert, we check as much as
we can before you pay us a cent, and our application process is 80 seconds.

~~~
kuschku
You might want to fix your webdesign:
[http://i.imgur.com/zQbWnUI.png](http://i.imgur.com/zQbWnUI.png)

And this is in Firefox, which renders fonts more bold than other browsers.

~~~
nhebb
Just removing the font-weight: 300 helps tremendously. Personally, I'm
becoming less of a fan of external fonts. I've noticed lately that they're
often the slowest thing to load on sites that use them (especially Google
fonts).

~~~
LeoNatan25
The weight works great on a high DPI display, but on older displays, it just
doesn't work. Open on a rMBP or iPad, and it's beautiful. I'm guessing the
designers are working on a high DPI Mac.

~~~
nailer
Edit: should be sorted.

Original: working on a standard DPI Mac, but it still looks fine - see
[http://imgur.com/WRWYzBx](http://imgur.com/WRWYzBx). Trying to figure it out
now...

~~~
tripzilch
Do you mean "fine" as in "very fine lines", or "looks fine" as in "looks
good"?

Cause that looks like a printer that ran out of ink.

------
andrewstuart2
I'm so excited for this to take off, and it's good to see they've taken the
first steps, but can I at least download the _CA Cert_ over HTTPS? Not sure
how comfortable I am installing a CA cert I downloaded via HTTP, since that's
kind of the whole point of this whole thing.

~~~
_jomo
You can download the cert via HTTPS from
[https://letsencrypt.org/certs/isrgrootx1.der](https://letsencrypt.org/certs/isrgrootx1.der)

------
simula67
Sorry for asking a potentially dumb question : but is it possible for me to
set up a domain name thecitibank.com and ask letsencrypt to issue me a
certificate ? I can then create a login page to steal IPINs. Isn't that why we
have humans in the loop for issuing certificates ?

~~~
pakitan
A valid certificate only allows you to have a secure connection without errors
and warnings popping up all over. It does nothing to guarantee that the domain
is "legit". You can already set up thecitibank.com and get an SSL certificate
for it without any problem. What you can't do is get the EV (green bar)
certificate where indeed you need to go through a human. But I'm pretty sure
Let's Encrypt won't be giving away EV certificates.

~~~
cpach
_”without any problem”_

Are you sure about that?

~~~
bigiain
Yeah - there's many ssl vendors who've automated everything - so long as you
can read email sent to webmaster@whatever-damned-phishing-domain-you-like.com,
they'll sign a csr for that domain's ssl cert.

------
MertsA
What's the target audience of the beta program? I'd love to play around with
this on a personal domain but I doubt that there will be more than 2 or 3
unique visitors between now and general availability. Do they want signups for
the beta program irrespective of the traffic volume of the site or would toy
site signups just be more of a hassle for someone to approve?

The verbiage on that page isn't very clear on if there's some manual process
for approving beta participants or if it's just grab 100 entries a week out of
a Google Sheets page.

~~~
goldman60
I only have personal sites and I signed up. It probably can't hurt.

------
RyanZAG
Does anybody know if there is any protection built in against MITM or DNS
poisoning attacks?

It feels like this makes network hop security far more important. If I'm able
to insert a MITM or DNS poisoning anywhere between where letsencrypt.org's
servers are and where it thinks the requesting server should be then I can
generate a false certificate.

For example, Amazon's DNS resolves for letsencrypt as 1.2.3.4 which routes
along a set path - say 2.3.4.5 and 3.4.5.6. To verify that I control
amazon.com, letsencrypt is going to try and fetch
[http://1.2.3.4/something](http://1.2.3.4/something) (through DNS resolving).
If I can get MITM access on 2.3.4.5 and pass back /something to the request,
letsencrypt is going to generate a certificate for me that I can use to say I
am amazon.com for the entire world.

Is there any protection against this built into letsencrypt for this? Maybe
checking if amazon.com already has [https://](https://) ? Although I'm not
sure if there is any way to get around a DNS poisoning attack...

In essence, this seems to mean that you can take a single successful MITM and
turn it into a globally authorized MITM. Right?

~~~
superuser2
Any CA performing domain ownership validation would be vulnerable to the same
thing. If you can fake its WHOIS requests or make it appear as if the domain
making the request does in fact have the "canary" file they told you to host
to prove ownership, then you can get any CA to give you a cert for any site.

You have to trust _something_.

~~~
0x0
If the registrar held the job of being a CA, then at least there wouldn't be a
spoofable link between the CA and the domain owner - the registrar already has
your account information and proof of ownership, 100% verified, when your
domain is held with them...

~~~
nailer
Sure, but registrars would need to start doing a lot better job of checking
the identity of people applying for domains, otherwise we'd just end up with
domain validated certificates all over again.

As the grandparent post notes, all CAs completely automate domian validation
at present.

~~~
0x0
My point is that regular domain validated CA _should_ be the sole job of
registrars. It would even prevent parallel certs being fraudulently issued - a
domain can only be registered at one registrar at one time.

Sure, you could have the other CAs still offer EV (real-world identity)
validation as a value-add.

But it's pretty silly that, currently, you have to pay a third party (today's
CAs) to validate something that the registrar already knows for sure.

~~~
kej
The other side of that argument is that if your registrar is also your CA,
they have the ability to give bogus SSL certs to an evil server and the
ability to direct your domain to that evil server.

~~~
0x0
They can already do that, as they could temporarily hijack your NS records and
buy a cert somewhere else. If you can't trust your registrar, you have bigger
problems (I'd say "all is lost")

On the flipside, having a registar act as the only valid CA would mean that
choosing a trustworthy registrar suddenly has real value. Power users could
make an educated opinion on the trustworthyness of a given domain validated
CA. Domain owners could be sure they're not at risk for how in the current
system, an adversarity could get a valid parallel SSL certificate from a
sloppy bargain-bin CA, even if the domain owner picked the most expensive and
diligent CA and registrar for themselves.

~~~
schoen
A lot of folks might not have thought through the weakest-link aspect of the
current system: they feel like they're safer because they chose to use a
reputable or trustworthy CA. But misissuance events that I've heard of have
never involved CAs that the victims had any business relationship with at all.

------
ck2
Everyone repeat after me, wildcards, wildcards, wildcards.

(just hoping they will appear next year)

One more nail in the coffin of the ssl cert mafia.

~~~
kodablah
While I too would like to see wildcards, doesn't the fact that you can
programmatically obtain a cert for a subdomain obviate most of the wildcard
needs? Sure it's a bit more difficult but if your service has some form of
sorts to make a subdomain work for a specific word, surely it can request the
cert at that time. Having said that, obviously keeping track of only one cert
and not having to build this into your apps is much more preferred.

~~~
carterehsmith
This comes up when you are running a multi-tenant app with many tenants;
github.com is a good example. You can sign up as "dude.github.com" or
"me234.github.com" and so on. So, Github can either a) obtain wildcard SSL
cert for "*.github.com" once, and then present it to tenants, and control
access with the "domain" property of the cookie, and don't worry about SSL
cert until next year's renewal time, or 2) apply to some authority for
XXX.github.com every time the new tenant signs up. Well, 2) makes you reliant
on "some authority" every time new customer signs up, (hopefully many times a
day!) which is not so very good IMHO. Just my 5c.

------
bluesmoon
Quick question, apart from having a prettier website, what's the
differentiator with StartSSL which is also free, automated, and open?

~~~
gsnedders
Certificate revocation for free (which is a big deal!), commercial use for
free, multiple hosts for free…

~~~
0x0
StartSSL might also refuse you if you try to request a certificate on behalf
of a friend or a client, as they sometimes checks if WHOIS lines up with your
identity validation. Quite the hassle for domain-validated certs :-/

------
eric_bullington
\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

For the record, the cert I've downloaded (using SSL over the Let's Encrypt
site) from the Let's Encrypt site has the following SHA256 fingerprint:

SHA256
Fingerprint=96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6

Works great. To install on Firefox, just click on the first certificate listed
here, in der format (just be sure to 'view certificate' and compare with the
SHA256 hash I list above):
[https://letsencrypt.org/certificates/](https://letsencrypt.org/certificates/)

For Chrome users, you have to download the cert, then go under "Manage
Certificates" in "Advanced Settings". Then click the "Authorities" tab and
import button. To check the cert hash, you'll have to run the following on
OpenSSL: You can check your own fingerprint using: openssl x509 -fingerprint
-sha256 -in isrgrootx1.pem

Command line users on Ubuntu and (I think) Debian can install it to all
browsers at once using: chmod 644 isgrootx1.pem sudo mkdir /usr/share/ca-
certificates/letsencrypt.org sudo cp isrgrootx1.pem /usr/share/ca-
certificates/letsencrypt.org/isrgrootx1.crt sudo dpkg-reconfigure ca-
certificates

For the extra paranoid, this is the same cert that another user posted to a
Github gist earlier this summer:
[https://gist.github.com/rmoriz/1211745a21bc6114e770](https://gist.github.com/rmoriz/1211745a21bc6114e770)

And you can verify my GPG signature by fetching my PGP key here (note that the
keybase profile is linked to this HN username):
[https://keybase.io/esbullington](https://keybase.io/esbullington)

\-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAEBCgAGBQJV95CmAAoJELGyxBAnWFiCpF4P/0sxqdrobdKm02V2cadHWQX3
AqXEENlPoReoVazf6Xhr3xfcyLw7g798q7YG4Bd0XtZLwofTr8Hq2On4q9w6dufu
6yGv+PyBTqL2EiSvuyY1p29ieYJV3tqOLUTaYjlvf7YGS90wLphRsEF1RVOaKfLK
J1HSfx5Gctl1IRqa3Lt4zK6pot8xOzvV2d6V+fW1V/Svx5ZrfEUgJ7hgcyrgCSzB
wqKJNhpoZCK50iqzrBlwjByRA+yi4LJckzSZ97l2p86QfvSg8xeVuMWVT+Qw6Pll
Lw+rlrh4sLtcVGTcc6qUfBa5FXfoNOfT0vL009uBz5UkCs0vTjmbOwfZTGAMxKgC
fD9dfOY3f9lA87nxTCP7nKR/USbDJANztNdQ/14qJwKFVmdusAjvf8LR8MzaIi5Q
aBiC6otSuAMDGOTPXJ3aex/v+pt1412K5CgLEq83zeTGK04OoEWV/MMzggT+UxH6
eUpChtwKtFQIjqagzhkWWgc6ti2Qy0PnvZZa36PfFa01iK4jOhRPH9aCkg5UQtbl
MjMPF2gAbHwTGP8cSs+PIrFUYyEK8FgWW4HhXBVCbNgedIEjRJwuorr/Ug8D7mJk
kx+nFENVIsjEHUa5k64fYYc4eRX244jKORvYxH/iwCvvpCaineBkVmXPIFGIBXqp
EYdDJBWF/PWfMvjFYHL3 =es48 \-----END PGP SIGNATURE-----

~~~
cpach
Thank you for posting the fingerprint, Eric.

------
TazeTSchnitzel
Last year they did a talk at CCC. Well worth a watch.

[https://www.youtube.com/watch?v=OZyXx8Ie4pA](https://www.youtube.com/watch?v=OZyXx8Ie4pA)

------
bdamm
This whole effort is making me a little bit giddy! Viva la admin-friendly
security!

------
hartator
Getting NET::ERR_CERT_AUTHORITY_INVALID on
[https://helloworld.letsencrypt.org/](https://helloworld.letsencrypt.org/)

~~~
Buge
>Our cross signature is not yet in place, however this certificate is fully
functional for clients with the ISRG root in their trust store. When we are
cross signed, approximately a month from now, our certificates will work just
about anywhere while our root propagates.

------
icc97
Any one else getting a 'Secure Connection Failed' error at
[https://helloworld.letsencrypt.org/](https://helloworld.letsencrypt.org/) in
FF after adding the root certificate?

~~~
cm2187
I get the same on chrome 40

------
chmike
I didn't see anything about the price of the certificates. Will it be free ?

~~~
dgoujard
Certificats will be free

------
charonn0
I checked the https demo using libcurl, and it failed unexpectedly with error
code 35 (Unknown SSL connect error). I was expecting curl error 60 (untrusted
certificate).

~~~
MrRadar
The test site requires SNI and only accepts TLS 1.1 and 1.2 with
ECDHE/DHE+AES-GCM/AES-CBC ciphers[0]. I'm guessing whatever SSL library your
libcurl is linked against only supports TLS 1.0, doesn't support SNI, or
doesn't support any of those cipher suites (OpenSSL 0.9.x won't work with this
site, for example).

[0]:
[https://www.ssllabs.com/ssltest/analyze.html?d=helloworld.le...](https://www.ssllabs.com/ssltest/analyze.html?d=helloworld.letsencrypt.org)

------
stullig
I still don't get why Mozilla and Google don't accept CACerts. Couldn't a lot
of this be solved by just removing the warnings?

~~~
nailer
They'll need to pass a webtrust audit, which covers how they handle their key
material amongst others. Additionally the Microsoft, Apple and Android roots
have their own extra requirements added.

~~~
throwaway7767
It always seemed odd to me how strictly CACert is treated given that TrustWave
got a pass when they deliberately sold a root CA certificate for man-in-the-
middle purposes.

It's almost as if money is more important than key management practices.

~~~
stullig
Thanks for all the informed info. I was just always weirded out when my
browsers forced me to perform 2-4 clicks because of untrusted connections when
visiting websites of say the CCC (who just switched to StartSSL apparently).

Or the CACert website itself.

Always seemed to me like some kind of joke.

------
thingsilearned
Congrats Josh and team!!!!

------
Walkman
How a root CA goes into the trust store? I know Firefox embed them, so older
versions of it will not include it. OS minor updates (Windows, OS X, ...) ever
updates the trust store?

How much time actually takes it before I can safely use it and be sure that
the majority of browsers accept it?

~~~
schoen
In the short term, Let's Encrypt will be primarily trusted through an
IdenTrust cross-signature, which should be created in the near future (and
before Let's Encrypt certs are available to the general public).

The cross-signature is a delegation of authority from an existing root CA to
Let's Encrypt's intermediate CA, saying that Let's Encrypt should also be
trusted to issue certificates. Browsers that accept IdenTrust's root, which is
widely accepted today, will then also accept the Let's Encrypt certificates as
long as the services that present them also present the certificate chain
(which includes the cross-signature certificate).

This will happen _in parallel_ to Let's Encrypt's efforts to be accepted as a
root CA, and is not dependent on it. For example, if Mozilla decided not to
allow Let's Encrypt to be trusted as a root yet, past, current, and future
Mozilla browsers would still accept Let's Encrypt end-entity certificates
(with the proper chain) because of the cross-signature.

This is discussed in

[https://community.letsencrypt.org/t/frequently-asked-
questio...](https://community.letsencrypt.org/t/frequently-asked-questions-
faq/26)

and is also described in more detail at

[https://letsencrypt.org/2015/06/04/isrg-ca-
certs.html](https://letsencrypt.org/2015/06/04/isrg-ca-certs.html)

------
mahouse
I feel like these initiatives to make SSL available for everybody just lead to
the same conclusion: EV will be the only viable alternative to show real
trust, and EV is much, much more expensive than regular SSL ever was.

~~~
AnthonyMouse
As far as I can tell EV certificates are completely worthless.

You know the TLS certificate you got from bankofamerica.com is legitimately
from bankofamerica.com because of domain validation. What EV tells you on top
of that is only that bankofamerica.com belongs to Bank of America Corporation.
_But you already have that information_. Their website is written on the walls
of all their bank branches and all the documents they've ever given you. You
don't need a CA to verify that because you can trivially do it your own self.
And the same is true for any person you actually know. You know their domain
belongs to them because it's the domain they personally told you belongs to
them.

So that leaves domains belonging to entities you've never otherwise
encountered outside of their internet site. You may have never been to a
Google office before. But if you've never encountered the entity outside of
its internet site then the association is meaningless. What am I supposed to
know of Google other than google.com?

~~~
technion
There's also the fact that obtaining an EV certificate is so unbelievably
painful. I swear it gets more difficult every year.

Last time I bought an EV cert, Comodo wanted a certification from a Chartered
Accountant. Aside from the confusion associated with Comodo wanting a letter
"your CA", we then had them Google for "accountants in Sydney" and complain
they weren't listed on the front page.

"Kindly address the search page to show them on the page in order for us to
process the order".

It took hours of complaints and escalations before they agreed to proceed, at
which point they wanted to call the company's "public" phone number. Now they
could have gone to the company's website, or the White Pages, but no, they
found some .ru website with an "accountant review" and called the number
listed there. Instead of asking what official phone listings Australians use,
the only thing they would accept is "kindly update the website".

Yes, this is probably one of the more incredible examples, but the point is,
who wants to risk even possibly dealing with this, when you can have a DV
certificate in two minutes and it "just works"?

~~~
HiYaBarbie
Wow, that's just _absurd_.

------
octatoan
Does anyone familiar with the "paid-for certificate industry" know if anything
major is going to happen? I'd guess they're going to be inundated with
lawsuits or something.

Great work, by the way.

------
r0bbbo
Can anyone explain to me what the difficulties of producing secure certs are?
What steps do you need to go through to get root CA approval?

~~~
schoen
Root CA status is conferred by the individual user-agent developers (for
example, Mozilla, Microsoft, Google, Apple, among others). Some browser or OS
developers may try to follow others' lead to avoid duplicating effort or
creating big divergences in trusted status of a given cert.

Each entity that maintains its own root CA list has its own policy and process
that people can apply through in order to propose to become a root CA. For
example:

[https://technet.microsoft.com/en-
us/library/cc751157.aspx](https://technet.microsoft.com/en-
us/library/cc751157.aspx)

[https://wiki.mozilla.org/CA](https://wiki.mozilla.org/CA)

These programs have certain criteria, which became more formal and rigorous
over time (it used to be quite informal when the CA system was first set up).
One commonality is generally to get a WebTrust CA audit, and there are also
rules and meta-rules for CAs from the CA/Browser Forum.

[https://cabforum.org/](https://cabforum.org/)

This will require creating and publishing a certification policy and
certification practice statement that have certain elements, and the auditors
will look at those.

There are also physical security issues. For example, CAs use hardware
security modules (HSMs) to perform their signing.

[https://en.wikipedia.org/wiki/Hardware_security_module](https://en.wikipedia.org/wiki/Hardware_security_module)

The HSM will sign requested data, but won't export its private keys into a
less-controlled environment like the CA's web server. It's akin to storing
your crypto keys on a smartcard, only more expensive. :-)

------
thomasrossi
I seem to understand this works just fine with HSTS. I am wondering what
happens to key-pinning?

~~~
schoen
You can also use key pinning with Let's Encrypt certificates. Hopefully a
future version of the client will provide tools to make this more convenient.

------
stevewilhelm
Anyone tried installing their certificates on AWS or Heroku?

~~~
schoen
We do a lot of the client testing on AWS, but a bigger question might be which
OS image you use.

------
muyuu
Can this be used for .onion sites?

~~~
schoen
Not yet; please see the thread at

[https://community.letsencrypt.org/t/if-when-will-le-
support-...](https://community.letsencrypt.org/t/if-when-will-le-support-
onion-addresses/341)

~~~
muyuu
Shame, because it would be actually needed. Cannot rely in .onion crypto vs
MITM.

------
acd
Is there any possibility of peer2peer voting/vetting for certificate genuity?

~~~
Vespasian
No there is not.

And I don't think they will/should ever go for it. After the CAcert
experience, I don't believe community based certificate signing will work in
the current TLS ecosystem.

------
cbpy
you got to use Google to sign-up for the beta... ?

------
Julio-Guerra
why aren't they sponsored by google nor facebook...? isn't it the only way
today to support "open internet" ?

------
lifeisstillgood
To be honest I had not heard of them till now, and I am a bit confused even
after reading some of their site...

So if the difficult part of being a CA (which I think is verifying that I,
Paul Brian, own and control the rights to barlcaysbank.com and should have a
certificate in that name) if that bit is either not done (!) or is reliant on
donations to be able to afford it, is this going to work?

~~~
tokenizerrr
This is not what regular style certificates verify. That is what Extended
Validation certificates verify and they're not issued by letsencrypt.org and
generally are a lot more expensive.

The only thing that regular-style certificates verify (this is what current
CAs do, you can also grab a free one with automatic validation at
[https://www.startssl.com/](https://www.startssl.com/)) is that the person who
controls the domain name has requested the certificate. This is usually done
by serving a specific file over HTTP once, setting a TXT DNS record or
responding to mail to postmaster@yourdomain.tld

~~~
toomuchtodo
> This is not what regular style certificates verify. That is what Extended
> Validation certificates verify and they're not issued by letsencrypt.org and
> generally are a lot more expensive.

I'd like to see LetsEncrypt move into this territory though. What current
private business providers are charging for this service is border-line
extortion.

~~~
icebraining
FWIW, you can already get an SSL cert for $4/year.

~~~
Buge
"this territory" was referring to EV certificates. Those cost more than $4.

~~~
icebraining
I misread the post, sorry :|

