Can I get a certificate without installing automagical software?


#1

I’m a Startcom user (or former Startcom user, since their certs are no longer widely trusted), and I am hoping there is a similarly simple way of acquiring a certificate via Let’s Encrypt – that is, I fill in a simple form, create a cert request with a private key created by me (since I do that for private PKIs regularly, I consider it drop dead easy), verify via email I own the domain, download or receive a certificate, and install it myself.

The web server I use is a custom one, i.e., there is 0% chance that Certbot or anything else can work with it, and I would much prefer to not have to install any software. I understand part of the goal here is simplification, but “simple” is in the eye of the beholder – as soon as I see something that requires me to install an implementation of whatever (ACME) protocol that seems pointless from my perspective, I’m put off. It seems to me like a complication, unnecessary complications are not good, etc.

What does Let’s Encrypt offer to accomodate people like me? I did look at the FAQ (https://letsencrypt.org/docs/faq/) but there is nothing there addressing this issue, so all apologies if this question has already been dealt with umpteen times.


#2

Verifying by email is not possible, the options are for your web server to serve a specified file under /.well-known/acme-challenge/ (http-01), responding with a self-signed cert for a specified name ending in .acme.invalid (tls-sni-01) or creating a DNS TXT record with specified content for the _acme-challenge. subdomain (dns-01).

While Certbot is quite heavy there are a number of lightweight clients that may be more suitable for your environment, GetSSL is a good choice as it can be run locally uploading the certs and challenge files with SSH. Alternatively if you want a fully manual solution there are web based clients such as ZeroSSL or Get HTTPS for free, just remember that certs only last for 90 days so manual renewal can get tedious.


#3

One of the goals of Let’s Encrypt is automation. The need to reply to an email for verification of the domain would mean that it can’t be automated.

ACME is just a way for this automation to happen: currently there are three challenges which can be used to verify your domain.

The ACME clients @cool110 is referring to can be found on this page: https://letsencrypt.org/docs/client-options/

The Bash clients obviously are a logical choice if you don’t want to “install any software”, although acme.sh has a 27 lines script to “install” (i.e. copy) the Bash script to your home directory, set up an alias and cron job. But it’s not necessary :slight_smile:

So you might see some things your perspective, which of course is fine. But I’m urging you not to have tunnel vision. Because the process you’re talking about might be easy peasy for you, but that doesn’t mean Let’s Encrypt is more difficult. It’s at most different.

Filling in a “simpel form”? Há! Not necessary with Let’s Encrypt! Create a CSR? Há! Not necessary! (Well, it actually is necessary as Let’s Encrypt won’t generate a private key for you for obvious reasons, but every self respecting ACME client out there will generate one for you. Unless it’s an online client. There are online clients which will generate the private key “in the browser”, but do you trust that? ;)). And why verify a domain through an e-mail? Why for the love of FSM, why?!? Manual labor! No way :stuck_out_tongue:


#4

Hi @MK11

sounds like letsecnrypt isn’t for you

as said the ACME protocol specifies clients, challenge types and how to go about it.

Email verification which some CAs do, is not currently a supported challenge method in the acme protocol

investigate non ACME CAs

Some of them have APIs that are REST based and allow you to issue certificates that way

any CA will need to verify domain ownership before issuing certificates

as an aside: automagical software is quite a childish thing to say. To me it says you are not really invested in making it work and are looking for excuses


#5

samples of API based CAs

https://www.digicert.com/rest-api.htm

https://www.globalsign.com/en-au/partner-center/api-documentation-ssl/

automation will always require you to write some kind of software - it’s up to you if you want to use ACME or REST based APIs written by other CAs


#6

also there are currently over 30 million certificates being issued by LetsEncrypt using ACME clients so some of the statements you make are debunked by the numbers


#7

Still, something like ZeroSSL does recreate much of the experience of using a traditional CA, if that’s what you want, including not installing client software locally. Notably, it requires you to post a file on your site (not respond to an e-mail), but some traditional CAs also require you to post a file on your site.


#8

Personally, I have different definitions of “simple” vs. “easy”.

Imagine a puzzle with 2 pieces, each piece has the half of a complex picture. The puzzle is “easy”. The pieces are complex.

Now imagine a puzzle with single-colored pixels. You can build anything with it, but it requires a huge amount of time and effort. So the puzzle is complex, but the pieces are “simple”.

The OP wants simple, not easy. certbot is easy, but certainly not simple.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.