I love LETS ENCRYPT

Hello Let’s Encrypt Team
Kudos to your work. You guys built an amazing thing to make internet secure. I’m a Computer Science enthusiastic, I want to know how do I make a platform, let’s say I m capable of creating my own ACME client , how can I help let’s encrypt team to bring more people to create certificates
.

I want to understand how to create certbot kind of platform to use Let’s encrypt is CA. Please point me to some knowledgebase so I can work on some easy graphical UI platform to create certificates and mange let’s encrypt certificates.

Thank you

8 Likes

Hi, here is the ACME spec: RFC 8555: Automatic Certificate Management Environment (ACME) - you can use that to implement a client. There are also various libraries which already implement ACME including certbots own python acme library. It depends which programming languages you want to use.

Here is the list of all the other ACME clients people have built, some of which do have a UI (the majority are command line tools): ACME Client Implementations - Let's Encrypt

5 Likes

On the topic of creating a UI, don't make a website that generates a private key and gets the certificate for you (they already exist) - these violate the need to secrecy of the private key and should be completely avoided for real certificates.

5 Likes

Thank you , I understood.

Just a couple of quick queries :

  1. So the ACME client I can create (I know there are many, I ll study them), I am interested in programming my own client for Let’s encrypt (I ll make an attempt), for this , I need to interact with let’s encrypt apis which is https://acme-v02.api.letsencrypt.org/ ?? Is there any source to know more about Let’s encrypt apis , that would be great helpful.

  2. Correct me if I’m wrong, You are saying no to UI, because the private keys needs to be confidential, so even if we make an attempt to use crypto browser web api, it would be still not helpful to renew certificates right ? For that reason, you are saying not a good idea to do in the UI side??

Thank you for your time.

1 Like

There is no other docs for the Let's Encrypt API that I know of.

So you want to avoid storing the private key on a server you host, instead private keys should be kept on the users computer(s). A UI that works in the browser and generates the keys on the client side would be fine, because the private key doesn't leave the user controlled environment. There's nothing wrong with having a UI (I develop a desktop UI) but private keys need to stay with the user.

5 Likes

The other consideration is that while you can make tools (like https://greenlock.domains/ etc) to fetch a certificate on behalf of a user, they then need to install that cert and repeat the process at least every 90 days. Manual processes are basically a novelty you could make for fun but they're generally not a practical solution for serious use.

5 Likes

Doing such a thing would require the user to either audit the code or trust it. As it is client-side code and not server-side code, This can become very hairy since the server cannot necessarily trust the security of the client-side implementation. Additionally, the private key ends up on a machine on which it will not be used and thus will need to be securely transferred to the intended machine then purged from the original machine.

There is also the enormous question of who controls the private key for the ACME account.

This type of design has been done many times with highly questionable results.

Just don't do it.

3 Likes

A post was split to a new topic: WebCrypto and the LE Subscriber Agreement

Yep. Already given:

We are almost constantly being asked in this community for a "simple path" to writing an ACME client. While I certainly encourage innovation and options, I also encourage those who show an interest in doing so to be sure of their motivations and willingness to put forth the effort.

3 Likes
  1. For testing, please use the Staging Environment
  2. Is addition to the RFC, you may want to look at Let's Encrypt's documented deviations from that spec.
5 Likes

Since nobody else has, I will: they're saying "no" to a remote, web-based UI like ZeroSSL (well, like ZeroSSL used to be)--even when they don't compromise security or violate the subscriber agreement, they're just a bad idea. There are a couple of these already, and we generally discourage them. But there's nothing wrong necessarily with a GUI, or even a web-based GUI.

For the first case, if you want to write software to get a cert for the system on which it's running, and you want to code a GUI for that software, go right ahead--there's no reason not to do that, and many of other folks have.

For the second case, if you're writing software to run on a remote server, to get a cert for that server, and you want to code a web-based GUI for that software, again, this is perfectly OK, and dozens of software products do this.

What we're discouraging is a website that you go to, engage in a series of interactions to get a cert, which you then have to download and install somewhere else. And then repeat that action every 60-90 days.

I'd also encourage you, if you're wanting to write something for public release, to consider what your software will do that other software doesn't (or at least doesn't do as well). There are a lot of ACME clients out there (a link to the list was already given up-topic), and I'm not sure I see a need for another standalone client--but there certainly could be. I'm not at all saying "don't do it;" I'm just saying try to identify a need that isn't met first.

7 Likes

That's very well put @danb35. :yellow_heart:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.