
Trying out Let's Encrypt (beta) - conorpp
https://conorpp.com/blog/trying-out-lets-encrypt/
======
zaroth
Looking through the code and the issue tracker
([https://github.com/letsencrypt/letsencrypt](https://github.com/letsencrypt/letsencrypt))
I can't help but think they are approaching this wrong... In an attempt to
make the certificate install completely hands off and fully automated, they
are baking in a tremendous amount of complexity on top of a fundamentally
brain-dead simple process.

I need to generate a private key, send you the public key, and get you to sign
it. Somewhere in there, I need to prove I have control of the HTTP server on
the existing A record, or that I can add a DNS TXT.

I can't say I'm a fan of shipping a SimpleHttp server baked into the tool,
listening on port 80 (so run as root) which is also trying to deal with
account authentication at the same time as generating the CSR, scanning
directories of private keys to try to figure out how to sign the ACME nonce,
etc. Getting this 'letsencrypt-auto' process to be able to receive and respond
to HTTP requests on my domain is a different class of problem than getting a
specially crafted file into a specific path on my domain. The former is
clearly much more difficult in production than the latter....

Why not simply a script which;

    
    
      - Takes as it's input the CSR and privkey files
      - Does an HTTP GET to retrieve the ACME nonce
      - Sign the nonce, generate the file you need to put on your webserver and tells you
        the path to put it.
      - Prompt to 'Press ENTER once the file is in place...'
      - HTTP GET to indicate file is in place, server verifies, and returns the completed
        full-chain cert.
    

(An optional parameter with a path to copy the signed-nonce file would make
the script non-interactive.)

This could be written in a few lines of bash, right, assuming you could find
an openssl command line which could sign the nonce in the correct form?

Keep in mind you have to repeat this process every 6 months with your live
site, so what we want are simple composable / pluggable tools which don't try
to own too much of the overall process, right?

Alternatively, ship two separate scripts (le-verify, le-certify) which create
the ACME validation file and retrieve the cert once the file is in place,
respectively.

I'm also not quite sure, why is there any concept of a user account on
letsencrypt at all? Hopefully it is optional, I don't see what in this process
requires that I register an "account" with them?

~~~
Strilanc
The _whole point_ of let's encrypt is to be fully automated. Without that,
it's just yet another crypto tool with poor usability.

~~~
Avernar
If they think that being fully automated is the main reason why people are
interested in them they are mistaken. Top two reasons seem to be that they are
free and that there are no usage restrictions.

I personally don't want a fully automated process. Shutting down all my
virtual hosts to let their tool pretend to be my server is a big NOPE.

~~~
wildpeaks
The "turn off server while it generates certificates" was indeed the one
surprise in the process for me (while the rest was quite straightforward,
kudos on that).

What I wonder is why it has to be port 80, not another port ?

~~~
vincentkriek
I agree, turning of the webserver is inconvenient and port 80 needs root which
I do not like.

------
wildpeaks
I've documented how I got it working for my site last night (using manual mode
to explicitely specify the domain names), including the dhparams step you'll
need to get the A+ rating with ssllabs:
[https://gist.github.com/cecilemuller/6d70cb4f463d8a391db1](https://gist.github.com/cecilemuller/6d70cb4f463d8a391db1)

------
js4all
I used their docker container in manual mode and the whole process was a great
experience. No need to stop the main server. The steps were:

    
    
        1. Run the container without ports in manual mode
        2. Use the GUI to enter account data and URLs for the SAN certificate
        3. Let the client print out the challenges
        4. Copy the challenges to the webroots using the provided command
        5. Press ENTER and wait a few seconds. Certs and Keys are ready to be linked from the webserver.
    

Everything went as expected and I am a happy user of letsencrypt.

[1]
[https://letsencrypt.readthedocs.org/en/latest/using.html#run...](https://letsencrypt.readthedocs.org/en/latest/using.html#running-
with-docker)

------
y0ghur7_xxx
Something I miss on all these howto posts about Let's Encrypt is the
revocation of the old certificate on renewal.

Say I have a cert that is valid until 2015-12-31, but I want to renew it now.

    
    
       ./letsencrypt-auto --agree-dev-preview --server \
          https://acme-v01.api.letsencrypt.org/directory certonly
    

will get a new certificate, but the old one, as far as I can see, is still
valid and could be used for the domain until it expires.

letsencrypt-auto has a revoke function, but there is no easy way to tell it to
revoke the last valid cert, or it should do it with a `renew` function.

~~~
jand
Accoring to [1] revoking is considered an exceptional use case and will not be
automatically performed on early renewal.

[1] [https://community.letsencrypt.org/t/maximum-and-minimum-
cert...](https://community.letsencrypt.org/t/maximum-and-minimum-certificate-
lifetimes/264/14)

------
andy_ppp
Does anyone know if letsencrypt can support networked appliances (for example
a NAS)?

I suppose I can only sign my nas if it has a domain name?

~~~
conorpp
You can technically use TLS with anything. All the certificates give you is a
trusted 3rd party that authenticates that a domain is what it claims to be. So
if you want that authentication for your NAS domain name, then of course.

------
junto
Has anyone tried this out with VirtualMin?

~~~
SwellJoe
Eric (a Virtualmin employee) has been experimenting with Let's Encrypt for
some time, and, as I understand it it is possible to setup manually without
any extra hoops imposed by Virtualmin (which is usually the case, as
Virtualmin does things in a very standard way, by design). We have plans to
include support in the very near future; not the next release, which is coming
in a few days, but soon after.

Nothing should prevent you from setting it up manually, but it will be
available easily in the near future, as well.

Edit: I just talked to Eric. The official client has historically required
extremely new Python versions (newer than any Linux distro for servers ships
with), but that's recently been fixed. I think Jamie was already working on
implementing our own client, however, because of that problem, so we may end
up shipping our own client. Regardless, it'll soon be supported by Virtualmin.
We're as excited about it as anyone.

~~~
junto
Awesome. Thanks for the feedback! Will this simply be a new tab under the SSL
options for a virtual server?

~~~
SwellJoe
Probably. Jamie will determine the UI for it, but it'll probably be as simple
as turning it on for the domain. Validating the certificate requires either an
addition to DNS or to the web root directory; so the domain will need to have
a valid glue record, but otherwise Virtualmin will be able to do all the work.

And, it does look like Jamie will be implementing a client for it within
Webmin, so we won't need to add the ACME Python client and its dependencies to
make it spin. A nice side effect of that is that Webmin alone will also be
able to use Let's Encrypt, instead of a self-signed certificate for Webmin
itself (of course, people who have purchased certs can use those for Webmin,
but if you have dozens or hundreds of Webmin systems, it'd be silly to figure
out certs for all of them; even a wild card cert would be a nuisance to deal
with).

------
plg
Nice webpage style. What is it?

~~~
conorpp
I used a Jekyll theme and have made incremental changes over the past few
months to make it my own. You can see the source on my github account

------
merb
What I also don't like is that its python. Nothing against python, however
it's really aweful that I need to somehow distribute that files either via
tar.gz, unpack install the requirements, etc.. I think a static binary
would've been way better, ie. rust, golang, c, c++. even a simple *.jar file
would've been better, however that comes with another cost.

~~~
detaro
There are already implementations in different languages, including one in Go:
[https://github.com/xenolf/lego](https://github.com/xenolf/lego)

