Does Let's Encrypt have its own web-form to get a certificate?

DrUltra · December 31, 2018, 6:34pm

First question:
I found this web form on one of the ACME partner sites - https://zerossl.com/free-ssl/#crt
Do you have your own?
And if not, then why?

Second question:
Which ACME client should I choose for configuration - Windows + Apache?

tdelmas · December 31, 2018, 6:50pm

Just to clarify, it's a website using the ACME protocol, not a partner website.

No they don't, and for the explanation: Web browser based ACME clients - #4 by jsha ; client-options: document inclusion/update policy. by cpu · Pull Request #377 · letsencrypt/website · GitHub ; ACME Client Implementations - Let's Encrypt

DrUltra · December 31, 2018, 7:45pm

Thank you, as I understand, Let’s Encrypt want to make this world easier, but in a difficult way.
Thanks for the list of ACME client, I saw it before and even downloaded several clients for Windows, but those that I downloaded work in the command line mode, require IIS or something else, which is not in my Windows, in one word I could not find a simple and convenient client for my configurations.
Is it a way in which Let’s Encrypt want to make easy this world? Chaos way? Many options, most of which are dead ends.

rg305 · December 31, 2018, 7:59pm

There is no one-size-fits-all solution nor client.
Your config is also very uncommon (Apache on Windows).
Luckily there are clients to work with both.
I use Apache on Windows and LE certs without any problem.

DrUltra · December 31, 2018, 8:31pm

Thanks, I will try further.
May the force be with me.

SilverbackNet · December 31, 2018, 8:51pm

LE’s goal is to automate everything and remove manual renewal as much as possible, therefore manually requesting a cert on a webpage is out of scope for the project. It’s still possible to do it manually via the clients, but all of the major LE clients are designed to be turned into cron/scheduled tasks that work in the background forever once you’ve set them up, so that you don’t need to perform the renewal ritual every 60-90 days.

DrUltra · December 31, 2018, 9:16pm

... with the help of third-party projects.

schoen · January 1, 2019, 12:52am

A really impressive example of what’s possible is @mholt’s Caddy server

https://caddyserver.com/

I’m not mentioning this in order to try to get people to switch to it; I just think it’s been a great example of how web server software in the future can integrate automatic HTTPS certification. I hope that eventually other web servers will follow this example and have official built-in support or official add-on utilities to automate the process.

In the meantime, we’re definitely placing some integration burden on sysadmins, but I’m happy to say that that burden has gotten smaller every year and the tooling has gotten better and better. With the recent help of @adferrand, we’re also close to having an official Windows version of Certbot (which may or may not be easier than the alternatives for IIS users on Windows, but should be a very good experience for Apache users on that platform).

DrUltra · January 1, 2019, 10:56am

This is one of the reasons why I chose it. For security reasons, based on surprise. In order for the attackers to have faces, as in the scene from the Star Wars - "I am your father ..." thatsimpossible

DrUltra · January 1, 2019, 10:59am

That's will be great!

Osiris · January 1, 2019, 11:55am

Such as Apaches mod_md?

DrUltra · January 1, 2019, 1:57pm

Thanks, in my Apache there is a such module! Now I should to figure out how it works ...
Thanks to all!
Happy New Year!

DrUltra · January 1, 2019, 6:03pm

I configured the server as indicated in https://httpd.apache.org/docs/2.4/mod/mod_md.html
But something is wrong!
My certificate is called - “Fake LE Intermediate X1”.
And browser does not allow me open the site via HTTPS.

DrUltra · January 1, 2019, 7:03pm

And in the pubcert.pem file, for some reason, I have two entries about the certificate:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Perhaps because I restarted the server several times.

DrUltra · January 1, 2019, 7:16pm

Aug 08, 2017; 7:14pm Re: mod_md
Stefan Eissing

Glad to hear!

mod_md currently uses the test service from letsencrypt by default. That is why the root cert is not valid.

-Stefan

http://apache-http-server.18135.x6.nabble.com/mod-md-td5038558.html

So, mode_md in the test-mode till now? And why is that?

SilverbackNet · January 1, 2019, 7:24pm

LE doesn’t have any control over Apache development, but that just means you need to use MDCertificateAuthority to point to the real one until the module’s no longer experimental.

It looks like there are no errors, at least, but tracking those down is explained at https://github.com/icing/mod_md/wiki/Trouble

Osiris · January 1, 2019, 8:49pm

The solution is also in that thread, right?

MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory

DrUltra · January 1, 2019, 8:59pm

Done.
The problem was in Apache configuration and mode-md files.
At the Apache help page was:

MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory

And later I change it to:

MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory

As it in - http://apache-http-server.18135.x6.nabble.com/mod-md-td5038558.html

But nothing happened until I deleted the mode-md dir in Apache dir and restart server again.

Thanks to all!

DrUltra · January 1, 2019, 9:03pm

Not exactly!
Need to delete mode_md dir before!
Or nothing will change.

DrUltra · January 1, 2019, 9:13pm

Thank you Osiris!