Hello.
I am old school user.
I am not planning to have web server.
I want SSL for personal email servers and perhaps other services.
I can modify DNS records at will.
I can provide CSR at will.
I am more than familiar with OpenSSL.
So… how do I go about it with you?
There are ACME clients available – like "certbot" – which can spin up a temporary webserver for the challenge required to validate your hostname. This would need an opened port 80 for HTTP access to that temporary webserver.
If you don't have the ability to have an open port 80, you could use the dns-01 challenge, which would use the DNS system. For automation, the best thing would be to have an ACME client with a DNS plugin which can interface with your DNS providers API. "certbot" has a few DNS plugins, but the ACME client "acme.sh" has a lot more. You'd need a DNS provider with an API though, as manually adding TXT records to your DNS zone every 60 to 90 days is very cumbersome.
I see it differently.
I want to install as small software as possible.
Also, i have access to bind and I am feeling rather comfortable with console, named-checkzone and emacs-nox.
So how would I go about actual DNS validation?
Thanks in advance!
See what differently exactly? That wasn't clear to me.
"acme.sh" is very small, just bash with few dependencies.
Good! So you can make use of RFC2136 to update your DNS zone for the challenge(s).
You'll need an ACME client anyway to use the Let's Encrypt ACME API. So I would strongly recommend an ACME client with support for your DNS API, such as RFC2136. And as you want as small software as possible, "acme.sh" happens to include a nsupdate script so you can automatically update your DNS zone in bind.
Lets put it it this way, when some organization forces me to use some software - don’t want to do it.
I did not want to sound rude, but here we are.
I have no problem making a script that will auto update my DNS records myself. or just manually change cert once every couple of months.(because I know how to make symbolic links, it would be easy job)
So what are my options?
Thanks for help Osiris.
How do you mean "forces you to use some software"? Let's Encrypt utilises the ACME protocol. You need an ACME client to connect to the Let's Encrypt ACME servers. There's just no other way, the ACME protocol is way to complicated to utilise yourself by hand through telnet or something.
You are however free to choose your ACME client. See the list of client options on the Let's Encrypt website. Many if not almost all are open source software. Or develop your own. The ACME protocol is documented in RFC 8555.
There are also websites you can submit your CSR to.. But in the end, on their backend, they are ACME clients too (without any possibility to check their source code!), so there's no gain there.
Great! But you'd still need a way to connect to the ACME servers though..
That also would entail connecting to the Let's Encrypt ACME servers..
I'm failing to see how making symbolic links helps you in "manually changing certs".
Choose an ACME client or develop your own (I recommend the former). Also, in the mean time, please read the How It Works and Getting Started documentation on the Let's Encrypt website.
There are tonnes of ACME clients. And I chose not to trust all of them. Software is prone to problems and attack vectors. Just because it's open source - is not guaranteed it wont mess with my server.
And yes, this exactly. Back end where I submit CSR would be appreciated. As I have no problem submitting CSR to compromised software. As compromised software can't do much with my future cert.
Worst case scenario I get 'compromised' cert, where worst can happen to it - It gets disables. Putting potentially compromised software on my computer - compromises my whole LAN and I got significantly bigger problems as result.
Nope, not if I use CSR. And if ACME servers accept CSR, I am not using potentially compromised software I don't trust.
purely from perspective of managing/securing my system where such keypair will be used. Nothing to do with issuance.
Unfortunately, this is not an option.
But Letsencrypt could provide simple alternative to ACME.
I have seen authorization based on DNS records working before. Perhaps Letsencrypt could look into changing its policies on delivery/verification. I have seen similar questions on your website before.
Some people WANT to submit CSR and get cert in return and NOT install questionable software, even if it's opensource.
I am one of those who raises question. I bet a lot more people like me just pass by instead of using your service.
If you don’t want to program your own ACME client in accordance with RFC 8555 or use an existing, well-reviewed, open source client I’m afraid Let’s Encrypt won’t be able to fulfill your requirements.
In my opinion your best course of action would be to contact an existing commercial Certificate Authority that will be able to offer a solution more suited to your needs.
You'd still need to adhere to the ACME protocol to send your CSR to the ACME server.
Why for the love of IPU would Let's Encrypt provide """a simple alternative""" to the protocol they invented in the first place?
Let's Encrypt does use DNS record base authorization? Please read the Let's Encrypt documentation about Challenge Types.
Like I said, there are website-based ACME clients out there.
Any alternative to ACME would run counter to their mission. I imagine this is referring to a web interface like other CA's. This wouldn't be able to be automated and would have to be repeated every 90 days, resulting in a very poor experience and a lot of broken websites.
Its matter of preference I guess. Just because something can be automated doesn't mean it's better.
If I can write small HTML, TXT howto, code, for mini server, and all I need static page - I am not going to use java heavy open source solution. Especially one used by millions. Since it will be constantly under attack and at some stage some one will crack it and scan internet for that specific set of scripts.
If I can write IP tables myself, I rather do it than trust some script to do it. ETC.
I would have to look around, I would prefer you. As you are backed by someone like Mozilla.
acme.sh currently is just 7454 lines of bash code. Nothing anyone couldn’t check for backdoors in a rainy sunday.
You can hide a lot into 7k lines of code.
Besides, BASH script is not exactly most secure kind of code.
BASH is known to behave in unpredictable way. Considering script uses tonnes of other programs, which can potentially have their own issues. It does not make it more trustable to me.
if it was 70 lines of code, then I would consider looking into it, and then again, I am not a coding guru.
I’m wondering, seriously, if you don’t trust the code of such a rather simple piece of software… How do you trust the software you run on your server anyway? The mailserver you were talking about? How can you trust that? The software of your operating system? Why do you trust that?
You do realise that every piece of software has a backdoor included, because all the compiler binaries are infected with a backdoor too?
There are people with lock picks and skills to crash door locks/knobs and get through the windows.
You still do have lock on the door, I hope 
I am getting mildly entertained by how you suggest to 'downgrade' my security on web site of SSL provider, which is meant to make me more secure. 
With that said, I appreciate your responses. I mean it. And I hope someone will notice my little plea. Even if it doesn't get acted upon.
Related: Web browser based ACME clients
Or you could just generate your own private key and CSR then use a website ACME client that only accepts a CSR. Yeah, it’s not recommended by Let’s Encrypt, but it does work with minimal invasion.
A couple that have been mentioned on this site are:
gethttpsforfree.com
freessltools.com/freesslcertificate
edit: @stewe beat me to it.
now this is getting more interesting.
From quick read I did - it looked like this thing generates key + CSR on its own.
Thanks Griffin, Oisiris.
I don’t trust my private key to anyone but my servers and OpenSSL 
CSR on the other hand is disposable, same as CERT is.
Just be sure you are able to "install" your newly-minted certificate afterwards and be prepared to wash, rinse, and repeat every couple of months.
Me neither, but I definitely get @Osiris's point. Where do we draw the trust line?
No problem there. I am pretty PKI literate. As long as my modulus match - ill probably be fine. Then its matter of soft links around services.
Couple of BASH scripts here and there and inconvenience is reduced to 5 minutes once a couple of months. It's mostly for personal use.