How to get the certificate on every OS? OS independent in-browser generation!


#1

The documentation says, that I can get a certificate without apache configuration, if I run the command “letsencrypt -d example.com auth”

But how does the tool validates, that I’m eligible to receive the cert for the domain?
Looks like a simple HTTP request.

Then it would be very nice to have an additional in browser solution like https://www.startssl.com/

startssl also does a simple http validation by sending an email to the domain. Then the startssl website uses a browser feature/function to generate the certificate at the client site.

The big benefit is that a certificate can be issued OS independent. This would be very nice for LE also. e.g. I’d like to get a cert for a Windows IIS not for an apache.


#2

probably most technical official explanation is at https://letsencrypt.org/howitworks/technology/

as far as i know the letsencrypt client is developed on debian OS so it’s more tailored to debian/ubuntu

you can see some of the initial problems when the client doesn’t expect to find debian specific file paths/names Installer can’t find apache2ctl


#3

https://letsencrypt.org/howitworks/technology/
https://letsencrypt.readthedocs.org/


#4

Ok thank you. As far as I can see the only “validation” is be done by a simple http request.

Then it would be very nice to have an additional in browser solution like https://www.startssl.com/

startssl also does a simple http validation by sending an email to the domain. Then the startssl website uses a browser feature/function to generate the certificate at the client site.

The big benefit is that a certificate can be issued OS independent. This would be very nice for LE also. e.g. I’d like to get a cert for a Windows IIS not for an apache.


#5

Automation is a significant goal of the project though. Involving email verifications would not be conducive with automation.

You should be able to use the LE certificate on any OS Web server combination. The certificate does not have to be generated by / on the server it will be used on.

Think there is a topic thread in here someplace discussing IIS. Try a search to see if you can find it and if it addresses any questions for your use case.


#6

There should be a PowerShell version until launch, so the LE client will be platform independent.

E-Mails are not that good to automate for most users, so it’s not really an option, at least not as long as the certificates are shortlived (90 days).

StartSSL generates two certificates, one for client authentication and another one for use with your web server, none of them is generated in the browser, they’re generated on their servers.

LE will try to support every OS, but even if not, you can still get a certificate with the manual mode if your system is not supported.


#7

Automation is a significant goal of the project though. Involving email verifications would not be conducive with automation.

No, it would be just an additional/optional validation option. The LE client can still use the http validation mechanism for automatic generation. But if I’d like to get a cert without the tool I can switch to the mail validation.

The certificate does not have to be generated by / on the server it will be used on.

At least you need (to setup) a supported OS to run the LE client. Then the webserver has to be reachable by public .

In some cases it’s easier and more secure to have an public mail server then a public Webserver. The certificate could also be used for non webservice services. e.g. for a net tcp windows client.

startssl solves all this “problems” with the in-browser generation. startssl is also a well known CA and accepted by any common browser/os.


#8

StartSSL generates two certificates, one for client authentication and another one for use with your web server, none of them is generated in the browser, they’re generated on their servers.

This couldn’t be completely true. I used the service some weeks ago using my chrome browser. (For a mail certificate. But I think this shouldn’t make a big difference)

The StartSSL website generates the certificate in my browsers certificate store. I don’t think that a website is allowed to add a foreign cert to that store. There is also only one cert (the one in my browser store) It’s used for identification, but it’s also signed for the mail address so I can just export and use it.

Also see: https://stackoverflow.com/questions/9197484/generating-client-side-certificates-in-browser-and-signing-on-server


#9

No, you don’t need that in manual mode. Yes, the web server has to be reachable, just like your mail server would have to.

That may be true if certificates would be long-lived, however, I doubt that it’s more secure.

Right, but standalone mode can simply kick off a simple HTTP server, it’s a lot simpler than a mail server.


#10

No, you don’t need that in manual mode.

And how should I get a cert if my OS don’t run the client?


#11

Any web server can deliver the payload, it’s just a simple JSON payload with a special content-type header, there’s no need for it being the LE client or a LE configured web server.


#12

You need additonal knowledge for that, The browser solution will work for everyone out of the box.
And it seems pretty easy for LE to implement such a solution.

The user can create a account(password login is fine) at letsencrypt.org add and validate his domain (with a method he’d like to use) and generate a cert.

For in-browser cert generation see: https://stackoverflow.com/questions/9197484/generating-client-side-certificates-in-browser-and-signing-on-server

It also offers a script for that


#13

Everything is explained step by step by the LE client in manual mode, you don’t need any knowledge for it.

Stop talking about a browser solution, it’s an email based validation, it doesn’t have anything to do with browsers. The manual mode of the LE client could be a website as well.

Additionally, it will only work as long as you have setup a mail server, not everybody has this.

Keys and tokens are a lot more secure.

You don’t have to repeat that link. As far as I can see it’s about client side certificates, not server side certificates. LE doesn’t have any plans to support client certificates (yet). Additonally, private keys shouldn’t ever leave the server they’re generated on except for encrypted backups, so it doesn’t make sense to generate them in your browser.

Especially if you don’t need HTTPS, just use the LE client in standalone mode to obtain a certificate, it’s really easy and straight forward and does’t require a mail server nor any knowledge.


#14

Stop talking about a browser solution, it’s an email based validation, it doesn’t have anything to do with browsers.

You are mixing every thing around. A in-browser solution has nothing todo with the mechanism of validation. In an in-browser solution you can use http verification as well. Or you can use mail verification in the LE client tool…

Both things are completly independent.

Keys and tokens are a lot more secure.

If you have a well working brute force protection and a password policy the anser is simple no. Safety is equal.

You don’t have to repeat that link. As far as I can see it’s about client side certificates, not server side certificates.

No it’s about “How to generate a certificate in the browser”. Maybe you can’t use the code without any modifications, but if you are able to setup a project like LE it shouldn’t be a problem to adopt the solution. If you don’t belive me that this is possible: request a free certificate from startssl.com They use this…


#15

Sorry, your initial post is confusing things and talks about two different topics at once.

You’re absolutely right.

Weak passwords are the one side, the other side is people reusing passwords.

I know how StartSSL works, it’s the solution I’m currently using for https://dev.kelunik.com/login and another site.

One of the main points of LE is to automate issuance and renewal, using a browser workflow to issue certificates goes against that goal.


#16

This topic is going nowhere fast. How about you two wait a little while and cool down?