https://www.sslforfree.com - I made this client for anyone even without technical knowledge to get a certificate in less than a minute.
It took me 3 hours to get Let’s Encrypt on my Cent 6.7 WHM dedicated server, I also can’t get a manual client working on windows 10 so I made this for myself and for everyone.
I’m working on getting it generated in the browser. The key is generated and outputted immediately over SSL. I don’t store it ever nor would I want that liability.
And then what? The user has to move the key to the server that actually uses it? If so, it would be better if the user generated the key and a CSR and moved the CSR and cert around.
I wouldn’t trust anything the browser does with the private key, no matter if it’s generated “locally”.
This doesn’t simplify anything.
Edit: It asks for FTP account data to upload verification files to my domain. And it uses whois protection. Isn’t that cute? If that doesn’t scream shady, I don’t know what does. You should take that failure offline and pretend you never had anything to do with it.
I would advise anyone to never use this service. If you do it securely, it’s more cumbersome than even running acme_tiny.py.
I really don’t think that LE was ready for this Beta release, and I’ve already said this more than once. This is clearly a proof-of-concept release, for technical users to play with and find and report the problems, of which there are many.
And does the current Acme even work for Windows-based web servers like Apache and Mongoose out of the box? Even the requirement to install major 3rd party products like Python for use with Windows is not acceptable, IMO.
There needs to be better and simpler documentation and software available very soon in this “Beta” period, or we risk bad PR, which will set back our goal significantly.
The fact that people are offering insecure “solutions” like this “easiest way to use LE” tells us that we must start doing a better job, so our goal gets reached. Just my opinion, of course. Do the major stakeholders of LE agree with me?
Not everyone has enough access to their server or know how to install & use the official client in it’s current state. If you do, obviously the best choice is to install and use a cron to automate renewal. My goal with this website was to make it easy and accessible for non-technicals.
If you don’t trust your browser then you might as well never enter a password in your browser.
I added FTP for the people that don’t know how to upload files like most non technical people, of course you don’t have to use it if you know how to upload files. Where did you get the “whois protection” from? That’s nowhere on the site.
In reply to David. Please let me know how this is “insecure” if you are talking about the private key being generated by the server then as I already said I am working on moving it to the browser using the Web Cryptography API - http://www.w3.org/TR/WebCryptoAPI/
Security is ever changing and nothing is ever completely secure. I am willing to improve it as much as I can in order to provide as secure a solution as possible to help bring SSL to a lot more people, not just technicals.
Merry Christmas everyone and thanks everyone else for being more positive.
David, a Python client was a smart decision as a first client for modern cross platform compatibility (at least once it’s developed enough). ACME itself will work with any operating system as long as a client is made for it.
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
And you simply never ask for people’s FTP credentials, ever. That’s not just unprofessional, that’s outright shady. No matter how much you want to be helpful, it’s just a no-go. Together with the complete lack of any information on who is running this site, all you can say about it remains: STAY AWAY.
Behold the paradox: You want to drive forward encryption while teaching people that it’s OK to generate private keys in a browser and enter your hosting credentials on some random website.
It would have been better to show people how to generate keys and create a CSR, then accept only the CSR and have them complete the challenge manually. If they can’t do that, they probably should let someone else run the server in the first place. What are the chances that it’s a well-maintained server, anyway?
To me, this service is a good example how good intentions can be disastrous for the general robustness.
sjdfnldas, Python is a great and flexible language. But, like many languages that are primarily supported for Linux, I believe it can cause unexpected problems when installed on a random old Windows computer being repurposed as a Web server. There are other platforms, such as .NET and the VC redistributables, which already exist on many Windows computers, and languages like Go, which are simple enough to be packaged to install without problems. If Python was chosen only for compatibility, than this was a poor decision for a Beta release, although it was perfectly fine as internal POC, not to be released to the public with some fanfare.
As you said, ACME should be able to be implemented using a dedicated Windows client that interfaces directly to Windows with no other risky software at all. This is the route that should have been taken before rushing into Beta.
Again, this is just my opinion, and I may be wrong. But show me I’m wrong, don’t just be smug. Currently, LE seems to be failing as a Beta test. Do you really believe that LE was ready for random installation on any web server? Let’s admit we rushed into it and regroup for development of something more nearly bulletproof and reliable.
Whois protection was free with new registrations. Also just because one has whois protection doesn’t make them shady, not everyone wants their private details in public.
You simply don’t have to use FTP if you don’t trust that I don’t store any of it. I told you why I added it and I know firsthand why it’s useful for non-technicals.
Python is actually very cross platform compatible even with an old Windows computer. They even support MS-DOS. Python wasn’t chosen only for compatibility but it seems to be one of the important factors. Talk to them directly if you want to debate further https://groups.google.com/a/letsencrypt.org/forum/#!forum/client-dev. Or better yet you can go make your own client however you feel is more compatible in any language you want.
I have to disagree that LE is failing. Beta was meant for bugs and feedback, and is how they will be able to make it more bulletproof and reliable.
You’re missing the point. It’s not about what you actually do with the data, it’s that you’re even asking for it while at the same time hiding behind whois protection. You simply don’t do that. This is exactly what we try to teach people - not to trust websites that ask for unreasonable data. Oh sure, you don’t have to enter your bank credentials into that phishing site, it’s your choice. Seriously…
You might also think it’s a good idea to run around in dark streets, waving around a huge knife and telling every passing pedestrian that it’s to protect them should there be a real criminal. And then you wonder why people run away from you screaming.
Also, can you guarantee that your server and the connection between it and you users’ servers is trustworthy enough to handle that kind of data? Your intentions might be good, but what control do you have over the infrastructure your service is running on?
This is not how you run a trustworthy service. A trustworthy service doesn’t even ask you for unreasonable data. You can’t force trust out of people while looking like a shady criminal. End of story.
sjdfnldas, my opinions about problems installing Python are based on my reading many complaints in the fora of various projects that require Python. As to Python being easy to install on old Windows computers, I’ve tried and failed to install Python on Windows XP some years ago. It may be better now, but the comments on the Web still report problems on manual installation, yet what we want for LE is automatic and silent installation. I still have doubts.
Beta testing is meant for an existing product with a customer base containing knowledgeable customers who willingly try a Beta test version because they can get new features more quickly that.way. LE never had a proper release to the public, and no Alpha testing, before it went to Beta release with fanfare. It wasn’t ready.
LE is perhaps not failing, but it does not yet fulfill its promises, either.