Hacker News new | comments | ask | show | jobs | submit login

Please be careful using urllib2, unless you are on Python 2.7.10+ or 3.5+ it does not do HTTPS certificate validation.

Indeed. However, it's important to note that even if someone does MITM letsencrypt.org, they only see your public key and CSR. The private keys never get sent over the wire, so you don't risk leaking your private keys. However, a MITM could issue you a fake certificate that doesn't chain back to the Let's Encrypt root. This risk isn't any more than the way most CAs do it now (they email you the signed certificate).

I don't see the point in verifying that I'm connecting to Let's Encrypt. If I am not connecting to Let's Encrypt then the cert I get back won't show as being issued by them.

So you'll display a challenge on your website issued to someone else. This certifies an attacker's key for your domain.

An authentic connection to LE is literally fundamental.

> An authentic connection to LE is literally fundamental.

Unless you validate the certificate that you get using a pre-installed LE root certificate.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact