Does LetsEncrypt have an online cert authority?

@arberda2 Note that this thread is about a web interface for acquiring certificates and not about Let's Encrypt vs. other CAs.

3 Likes

Is it? I mean, that's my best guess of what "online cert authority" means, but OP never has clarified that.

3 Likes

I agree that it hasn't been stated explicitely by OP, no. However, looking at OPs post I'm fairly certain of my assumption, 99,9 % sure.

3 Likes

After re-reading the OP (quickly), I do get the same impression: "Web Interface"

3 Likes

Well, not that it really matters, my post was a reply to @arberda2, but that account has been deleted, probably due to the spam elsewhere on the Community.

3 Likes

Actually I did explicitly say about a web interface for LetsEncrypt, take a lok at this screenshot of ZeroSSL create new certificate, after completion of the form, a new .crt file is generated ready for installing, this is what I call a web interface.

Hence asking about if there is one for LetsEncrypt.

1 Like

Any web interface would be a third-party enhancement; as LE only interacts via ACME protocol.

So, does one exist?
Yes.

Would you mention one here?
No.

Why?
Because I don't want to sound like I am recommending any of them (which I don't).

If your need of a cert is for a tight system like Godaddy shared hosting, there is a PHP client for that.
See: CertSage ACME client (version 1.0.0) - easy webpage interface, no commands to type, root not required

3 Likes

Actually, no, you didn't. The closest you stated was "similar to ZeroSSL and FreeSSL does", by which you apparently meant (but didn't state) a web interface. But since you've now clarified that this was your question, I answered it five days ago--no, Let's Encrypt provides no such interface. Some third parties have made such interfaces, but we generally don't recommend them. Let's Encrypt just isn't designed to work that way.

3 Likes

Someone earlier in the replies suggested the webmin does have LetsEncrypt SSL functionality, but that's ONLY for the webmin interface. So, it seems then as LetsEncrypt does not have a web interface, then it seems I'll have to stick with ZeroSSL, and renew every 90 days, because after reading about how to 'manually' create and install certs into a hosting company, it's better to use a system that only needs to generate one file, which is very easy when using cPanel on Godaddy, as I have does this when using ZeroSSL, as there is only one file to upload a .crt file, where as LetsEncrypt there is (I believe) 3 files, the crt file, the private key and the public key.

2 Likes

Let's Encrypt purposely does not have any ACME client at all. The only thing LE offers is the ACME API. And for that API there are many third party ACME clients, of which some of them are webbased.

4 Likes

It is rather trivial to change those individual files into any other format.

2 Likes

Huh? Every SSL certificate ever generated by any CA consists of a certificate and a private key. CertSage generating the private key and downloading the certificate directly on the intended server is by far better than using a third-party web interface. You could use cPanel to generate your private key and then a CSR and then submit that CSR to another CA then download your certificate then install it into cPanel, but why?

I'll hopefully have the cPanel autoinstall released within a day or two. At that point, it will take under a minute to renew a certificate including the processing time of LE. :slightly_smiling_face:

4 Likes

Actually I use cPanel with a Godaddy account to maintain a local cab company's website, and if you look at the screenshot, I don't see anywhere, where a private or public key is used, all it asks for is the .crt file which gets installed to the right domain name automatically.

1 Like

OK, so lets say all sandwiches are made of only ham and bread.
And at my deli I sell both ham and bread.
But you want a sandwich.
So I say: Buy my ham and bread and put them together and you'll have your sandwich.
You say: No; The other guy across the street sells me sandwiches.
I say: OK. Then get a sandwich across the street.

3 Likes

If you read the cPanel certificate installation instructions I provided with CertSage, you'll see that the private key gets uploaded on a separate screen in cPanel. Silly, I know, but that's how cPanel is designed.

Try installing a cert without installing its private key. You'll see what I mean. :wink:

2 Likes

I don't know if this is on-topic or not, but I feel compelled to comment.

I got to LetsEncrypt/CertBot after starting with GoDaddy. I got here because GoDaddy charges over $200 for the first issuance of a cert, and then they DOUBLE that charge on each 1-year renewal. That means that unless you want to pay more than $400 per year to GoDaddy, you have to pretend that each year's certificate is brand new.

It took me FAR LESS time to install LetsEncrypt/Certbot on my CentOS 7 servers than it took me to actually find (never mind read) the fine print on how GoDaddy will plunder me for certs. The other providers are the same or worse.

If you really desperately must use a web interface at all (I'm not sure what you're doing that requires it), I suspect you or a competent React developer could roll your own in the amount of time that we're discussing it here.

The awesome thing about Certbot is that it just does everything you need, while doing so in a way that is dirt-simple to find and adjust if you don't like it. In my case, the certs were MUCH easier to find (because it just tells me!). The directory structure is clear and obvious. I needed to make some changes to permissions so that my various nodejs/npm tasks could properly access the needed credentials -- all was easy and straightforward.

The overwhelming majority of web-based tutorials about how to do https ALL describe self-signed certificates -- an utter waste of time and far more tedious than the LetsEncrypt/Certbot install.

My basic need is to put a green padlock on all major browsers on the half-dozen or so sites that I currently manage. LetsEncrypt + Certbot is a clear winner, hands down, over all the alternatives and especially over GoDaddy.

I'll be tossing contributions into the LetsEncrypt hat for the foreseeable future.

5 Likes

I think ZeroSSL is the right product for you.

2 Likes

For the benefit of everyone, I should probably clarify how certificate installations work with cPanel.

With a traditional (non-ACME) CA, most people choose to begin by generating a certificate signing request (CSR) through cPanel. When doing so, you're offered the option of generating a new private key or selecting an existing one, like so:

With an ACME CA (like Let's Encrypt), usually the ACME client generates the private key and CSR for you. You may never even see the CSR. For example, CertSage internally generates the CSR then throws it away once you have your certificate. Uploading a private key works like so:

If the private key is in the list in cPanel when you install your certificate, cPanel automatically pairs them. If not, you get an error. If you delete a private key, cPanel automatically deletes any CSR and/or certificate paired with that private key.

Note that you must install your certificate after uploading it. Simply uploading it doesn't automatically install it!

2 Likes

Please also note it isn't mandatory to let the ACME client generate the private key! It's in principle also possible to use the CSR generated by e.g. cPanel to be used in an ACME client. However, probably not every ACME client offers this option though.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.