Must be a lot more flexible than my own Open ACME client that's 1000 lines long including my own asn1, der, private key, and csr decoders. Granted it's php though.
1 Like
You could probably write your own acme client script just reading the code and comments of gethttpsforfree.com if you wanted the challenge. 
1 Like
THIS is what i needed.
This is what i want somewhere in letsencrypt site.
I am about to put your page to a testā¦
I'm afraid LE doesn't endorse methods which can't be fully automated. Their argument is that full automation is directly part of their mission. They even removed the webbased clients from the list of clients on the official web page.
I use Caddy which uses the Certmagic library. It's amazing, just configure a directive for your site, start the application and bang, it's secure by default out of the box. I wish every webserver did that (c'mon nginx and apache)
That's the world Let's Encrypt is trying to make, where you have to go out of your way to configure your server to be http only. Because of that endorsing an option that requires users to manually tinker with keys is sort of weird. However because ACME is an open protocol there's nothing stopping any random person from making a web based Let's Encrypt client.
Thus alienating a whole host of potential subscribers who cannot or do not wish to install and configure a separate client. IMHO automation is important, but encryption is paramount. Hence why it's called "Let's Encrypt" and not "Let's Automate Our Encryption".
Just because one cannot navigate the dmv bureaucracy (install and configure an ACME client) does not mean that one should be relegated to staying home (http) or taking an Uber (ZeroSSL).
Just my two cents.
2 Likes
tried it hour ago, moment i was suggested to download private key - I washed my hands of..
Just opt not to have them generate a private key? (anyway, often times those sites generate it in your browser in javascript, so they never have possession of it anyway)
Yeah. I thought they let you submit your own csr. Just be aware of the analyses in the link from @stewe. They still hold. Sometimes theyāll claim to generate your private key in browser on the client side and such. I donāt put much stock there. Then again, as @Osiris already pointed out: where do we draw the line?
1 Like
Looks like byte and switch. I have signed up, given CSR, and...
Downloaded cert, with CA, and private key...
No thanks.
Tried it. generated digested message. And site did not accept it...
Iāve used it MANY times. What happened exactly? Maybe I can help.
1 Like
digested message using this command, where account.key was changed to location of my private key, which was used for public key and for CSR.
PRIV_KEY=./account.key; echo -n āeyJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsImFsZyI6IlJTMjU2Iiwibm9uY2UiOiIwMTAyanNHdzlHUVJsU1o3Zmk3SVJkRHpXNTkwZ1BzLWdHdzVNd0tCQUhRcUN4TSIsImp3ayI6eyJlIjoiQVFBQiIsImt0eSI6IlJTQSIsIm4iOiJ3ZWE0bnFHbXU4WGRfVmNIOU1xQktmeXNxM2VQczVDZmxzM1NGTFpQOXZzeFZGelVKZVUxZ1VsYnNBQ2dscGY5SERDRHRnOUNPaHNwc18tSjloY2xuVGE1SVVCN2YyQTkyeDBZOVc0NzRmLS03X281bzZGcUpqSzE4Q2JqdE91X0s2WC14bjRJTG5WRElFbFVIcHc5d3FKcVQ1VzdrQWt0RUdwX0tFQmV2RjFZX3Q5SFJlbkY0RlNpQk4xMGJUcGFRSnkyamhnZFd0d1dzSzVmWkVPQ0pLbVdwMkstZU5wTVBPSlpiU3YxOGJMcUdZVFdvaW5JZ0tlUVdNazZOWXVNeFl0Wk45cU14cGtoakdfRjlIdlZGcWo5SGJIS29ZQnlkYWxyNHdWN1B6R0pRR1pJZjJ6R21BWDJiOEpYMzNhNWIyWlRkSlNZcEdseVVXcm5jTjZEN3cifX0.eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZX0ā | openssl dgst -sha256 -hex -sign $PRIV_KEY
got the output. but output was not accepted.
1 Like
First off, the public key at the beginning of the gethttpsforfree.com process cannot be the certificate public key. It is your ACME account public key.
2 Likes
Oh, i seeā¦ Though I donāt see reasons why not. I can sign many certs with same private key. But OKā¦
Lets try again.
1 Like
yep, that was it. 2 beers, a few digests and half an hour later, I got cert, that even matches my private key. thanks!
1 Like
Perfecto. 
Itās laborious, but gethttpsforfree.com really is the pinnacle of free ssl certificate acquisition paranoia.
1 Like
You may not be aware of this, but this is a discussion that's happened roughly 100 times here already. It's been very thoroughly discussed, and LE has no intention of changing their position. If you're unable or unwilling to use client software, LE really isn't the CA for you. Yes, you can do it, and no, they won't take active steps to prevent you, but you'll be fighting the design of the system every step of the way.
5 Likes
I was thinking of disposable OS account and some ACME app that only deals with CSR and has no access to private key/doesnāt generate one. Is that an option?
I can google, but I am now over 18 hours without sleep, and it tells.
Or may be even disposable VMā¦
As long as it can answer the required challenges, sure.
1 Like