I’m looking on the website for a way to generate a certificate but I can’t find it.
I set it up last time like that but did the site change? I just need the keys to paste into my webhosts console.
I have to install certbot? I have no idea what software my host is using. Should I know this?
You probably used a web-based client such as https://zerossl.com or https://sslforfree.com the first time. Certbot is more designed for when you have root console access to your server, usually with a VPS or server you own. If you’re using a shared hosting plan, you usually either need your host to integrate with Let’s Encrypt, or manually apply a certificate at least every 90 days by using one of the aforementioned web-based clients.
2 Likes
OK. There never was one on the main Letsencrypt site?
I would suggest you link to sites that are trusted to do this from the main site to prevent people from getting confused.
No, there never has been.
All the known clients, including the browser-based ones, are listed here.
We are still debating how to present this but to a large extent, we discourage people from relying on this method. We think users are likely to have a much better experience with Let's Encrypt by running a client application (like Certbot, acme.sh, lego, etc.) on their own server, by using a web server with a Let's Encrypt integration feature (currently Caddy, perhaps soon also Apache), or by using a hosting provider that has a Let's Encrypt integration feature. The original concept of Let's Encrypt has always envisioned some form of automation on the client side and having people perform manual certificate issuance creates more risk that they'll forget to renew, and makes it more difficult for Let's Encrypt to further reduce the certificate lifetime below 90 days.
The developers of the web-based clients are performing a great service for people who really need this method, but we continue to hope that that will be fewer and fewer people over time, and that more and more Let's Encrypt users will be using a fully automated method. As a result, I think we want to be cautious about how we direct people to these clients.
1 Like
I think I saw that list but a “get your certificate here” website is a bit buried there between 'other options'.
Yes, because (as @schoen indicates), this is a strongly dis-favored way to get a cert.
I can tell you my experience of: I think I can do this in 5 minutes while I'm tired in the evening and then getting trapped in a web of unintuitive tools and outdated howtos, wasn't a good experience.
I actually started out with a acme.sh howto to automate things on my host, but that was so unclear that I gave up (and I have some experience doing web things).
You are welcome to talk to my hosting provider (Webfaction) who have promised letsencrypt integration years ago and are yet to release it.
I think you need to have the option to create a certificate online, front and center. The users who actually need that (non-security experts running small personal websites) also need to be able to find it quickly. Most anybody else who can actually automate it will have done so because this 90 days thing is also a huge hassle.
At this point I'm so turned off by the process that I'd like to forget about this and remove security from my website but unfortunately that breaks a bunch of things at this point. I'll think thrice before adding security to any other website.
...or perhaps you (who are the customer of your hosting provider) can talk to them about how there are lots of other hosting providers out there who are more accommodating of their customers. Or you can vote with your wallet. Or you can ask for help with automating--if you have shell access and the ability to install certs from there, it shouldn't take more than about 10 minutes. Or, I guess, you can keep doing what you're doing, which pretty much amounts to beating your head against the wall.
Well, I'm sorry for the bad experience you had with acme.sh. A lot of people ask here on the forum about acme.sh and other clients, and the developers of those clients often actively participate in trying to help. If there's a problem that could be fixed in the documentation or functionality of those clients, this forum is often a good place to make that happen.
I can tell you from my work on Certbot that although there are literally dozens of things that users find confusing (I've made a list as a part of a documentation improvement effort!), we've managed to increase the reliability of the tool every month and a much higher fraction of users get a certificate as they expected on their first try than ever before. A lot of that is thanks to people asking questions on the forum and our helping them work through their problems.
I believe the same thing is true for acme.sh—there are plenty of things people may find confusing, but there are also lots of ways that the tool is getting better and better.
I think it might well make sense for us to mention the web clients somehow, but we have to figure out how to do that appropriately given our intention to push for an environment where no users will have to rely on them.
1 Like
I had no idea this particular situation was as bad as it is with what is a reputable host. I also don't particularly feel like migrating a bunch of websites to another host again which may have some other failing.
My point: the small website owners of the world don't have the skills, resources or time to jump through too many hoops. The transition to https has been quite something already I don't think that much more can be asked.
(But the general trend is to let small websites die off because of technical or regulatory burden and leave the web to FAMAG, so let's just keep doing that.)
Very broadly speaking, there are two categories of website owners--those who host their sites themselves (whether on their own hardware on-premise, or on a hosted server somewhere that they have full control over), and those who use a hosting service. For the former group, installing and setting up a client to obtain and renew a cert really shouldn't take more than about 10 minutes, and once you're done, you really shouldn't need to mess with it again. For the latter group, the expectation is that they'll use a hosting service that directly supports Let's Encrypt. In that case, obtaining/installing/renewing the cert is a matter of checking a box or pushing a button on the web control panel (if that much--some hosts even enable everything by default), and you're done.
If you're using a hosting service for your site, and your host doesn't directly support Let's Encrypt, you really are probably better off using either a different CA or a different hosting service (or, I guess, just giving up on security for you and your users), as Let's Encrypt just isn't designed to cater to that use case. It doesn't actively preclude it, but it doesn't really do much (if anything) to enable it either.
It never ceases to amaze me how people continue to come here to complain that Let's Encrypt isn't very good at doing something it was never intended to do in the first place, rather than complain to their user-hostile hosting providers.
2 Likes
If it were easy to do this without breaking things, I definitely would.
Indeed.
I think it's clear that we need to do a better job of presenting the distinction that you make above to new Let's Encrypt users, especially to users on shared hosting whose prior experience or awareness involved paid CAs that commonly issued certificates valid for 2 years.
When Let's Encrypt started up, there were a number of users who were rather upset that Let's Encrypt didn't offer an ideal drop-in replacement for these paid CAs (for example, see the old "Pros and Cons of 90-Day Certificate Lifetime" thread). Let's Encrypt has consistently said that automation is necessary for reliability and scalability, but not necessarily communicated that well to every prospective new user (nor necessarily always communicated well whose responsibility that automation would be in a particular setting).
As I've mentioned recently, I have a colleague who's starting to study new users' experiences with Certbot, and I believe that will include new users' experiences with deciding how to apply Let's Encrypt to their sites more generally. I hope one result of that project will be a better experience and better guidance for people just starting out with all Let's Encrypt services.
3 Likes
I think that's a great point. I never considered Letsencrypt like that and mostly glossed over the 'automation' part.
Since:
- Most people don't have any experience with an automated way of doing this.
- The existing providers and way of doing things work with a keys, files and copy-paste dance.
It's not at all weird that people would slot Letsencrypt into a model where you say you do not want to be.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.