Does Let's Encrypt have its own web-form to get a certificate?


#1

First question:
I found this web form on one of the ACME partner sites - https://zerossl.com/free-ssl/#crt
Do you have your own?
And if not, then why?

Second question:
Which ACME client should I choose for configuration - Windows + Apache?


#2

Just to clarify, it’s a website using the ACME protocol, not a partner website.

No they don’t, and for the explanation: Web browser based ACME clients ; https://github.com/letsencrypt/website/pull/377 ; https://letsencrypt.org/docs/client-options/


#3

Thank you, as I understand, Let’s Encrypt want to make this world easier, but in a difficult way.
Thanks for the list of ACME client, I saw it before and even downloaded several clients for Windows, but those that I downloaded work in the command line mode, require IIS or something else, which is not in my Windows, in one word I could not find a simple and convenient client for my configurations.
Is it a way in which Let’s Encrypt want to make easy this world? Chaos way? Many options, most of which are dead ends.


#4

There is no one-size-fits-all solution nor client.
Your config is also very uncommon (Apache on Windows).
Luckily there are clients to work with both.
I use Apache on Windows and LE certs without any problem.


#5

Thanks, I will try further.
May the force be with me.


#6

LE’s goal is to automate everything and remove manual renewal as much as possible, therefore manually requesting a cert on a webpage is out of scope for the project. It’s still possible to do it manually via the clients, but all of the major LE clients are designed to be turned into cron/scheduled tasks that work in the background forever once you’ve set them up, so that you don’t need to perform the renewal ritual every 60-90 days.


#7

… with the help of third-party projects.


#8

A really impressive example of what’s possible is @mholt’s Caddy server

https://caddyserver.com/

I’m not mentioning this in order to try to get people to switch to it; I just think it’s been a great example of how web server software in the future can integrate automatic HTTPS certification. I hope that eventually other web servers will follow this example and have official built-in support or official add-on utilities to automate the process.

In the meantime, we’re definitely placing some integration burden on sysadmins, but I’m happy to say that that burden has gotten smaller every year and the tooling has gotten better and better. With the recent help of @adferrand, we’re also close to having an official Windows version of Certbot (which may or may not be easier than the alternatives for IIS users on Windows, but should be a very good experience for Apache users on that platform).


#9

This is one of the reasons why I chose it. For security reasons, based on surprise. In order for the attackers to have faces, as in the scene from the Star Wars - “I am your father …”thatsimpossible


#10

That’s will be great!


#11

Such as Apaches mod_md?


#12

Thanks, in my Apache there is a such module! Now I should to figure out how it works …
Thanks to all!
Happy New Year!


#13

I configured the server as indicated in https://httpd.apache.org/docs/2.4/mod/mod_md.html
But something is wrong!
My certificate is called - “Fake LE Intermediate X1”.
And browser does not allow me open the site via HTTPS. :anguished:


#14

And in the pubcert.pem file, for some reason, I have two entries about the certificate:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Perhaps because I restarted the server several times.


#15

Aug 08, 2017; 7:14pm Re: mod_md
Stefan Eissing

Glad to hear!

mod_md currently uses the test service from letsencrypt by default. That is why the root cert is not valid.

-Stefan

http://apache-http-server.18135.x6.nabble.com/mod-md-td5038558.html

So, mode_md in the test-mode till now? And why is that?


#16

LE doesn’t have any control over Apache development, but that just means you need to use MDCertificateAuthority to point to the real one until the module’s no longer experimental.

It looks like there are no errors, at least, but tracking those down is explained at https://github.com/icing/mod_md/wiki/Trouble


#17

The solution is also in that thread, right?

MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory


#18

Done.
The problem was in Apache configuration and mode-md files.
At the Apache help page was:

MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory

And later I change it to:

MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory

As it in - http://apache-http-server.18135.x6.nabble.com/mod-md-td5038558.html

But nothing happened until I deleted the mode-md dir in Apache dir and restart server again.

Thanks to all!


#19

Not exactly!
Need to delete mode_md dir before!
Or nothing will change.


#20

Thank you Osiris!:vulcan_salute: