I'm Completely Lost


#1

Just had a chance to crack open the beta instructions for the first time. Sorry, but I am completely lost after just the first sentence.

I mean, I know git and linux, but I just have a WordPress site. The server is controlled by GoDaddy. There’s no way I’m running Python scripts and what-not.

I sure hope this Beta methodology is to get the underlying process tight, and that a subsequent test will be WAAAAYYYYY more automatic. There’s no way the average Joe is going to sign up for letsencrypt if they have to know git and run linux commands on their server.

Unless you have way more dumbed down, real push-button instructions for the beta test, please take me off the list and give my beta slot to someone who can use it.


#2

Hello!
You don’t necessarily need python scripts. As long as you can pass the “challenge” (= prove domain ownership), it’s all good.
You should try some other ACME clients out here (especially this one https://github.com/diafygi/letsencrypt-nosudo)


#3

Save yourself some hassle and get a free cert from WoSign (https://www.wosign.com/english/freeSSL.htm)

Between the whole 90 day cert lifetime limit and the need to install a whole bunch of stuff and the desire to have everything automated, I gave up waiting for this and just got a couple of 1 year certs from wosign. That was pretty painless.


#4

Beta is really a misnomer. Current state of Let’s Encrypt client is more akin to alpha.

My first impression was one of dismay. Some of their selling points are, quick, easy, anyone, less than a minute, only two commands, fully automated, and so on. Nothing could be further from the truth. That only exists once a bunch of other stuff is in place which could take considerable effort and even then is hit and miss on most platforms.

Making automation a practicality necessity (90 day cert lifetime) is a joke.


#5

@ac000 but now wosign doesnt do any SAN (except for with and without www) without money.

and most of the time their page doesnt even load properly.


#6

I believe that the current state of Let’s Encrypt as a CA is production ready. I believe that the software to use Let’s Encrypt as a CA is in Alpha. The result is in it’s current state non-technical users cannot use the service. Technical users can use it but only if they are willing to invest the time.

The 90 day lifetime aspect has been hashed out beyond belief.


#7

Careful. Don’t mention push buttons or you’ll get censored by the thought police!


#8

I’m using StartSSL certs.


#9

That’s what happens when policies are beyond belief and inflexible even though there are no hard requirements.


#10

truly. I mean if you actually can automate, you could easily serve even 7 day certs but with HSTS it would be a real pita. well when DANE comes high enough everyone can create their own CA for their domain


#11

This thread raises a good point. Is there a PHP ACME client?
I think there will be a lot of people that can only run PHP on their website.


#12

well you can use manual mode from a completely different computer and then you have to put a file at your webserver which obviously must be accessible from the outside.
for example like this:

http://my1.info/.well-known/acme-challenge/E_alwJ4LTi1BO1KyPbzY3VwyyhGZsBljT7wRm9OGouE


#13

The biggest issue with that is probably that it’s usually not PHP “doing the SSLing”, but a separate web server like apache or nginx. While a Let’s Encrypt client written in PHP would work just fine, you will need to find a way to pass those certificates to your web server and force a reload. That’s usually not something you can do with shared hosting, where, if they offer SSL with custom certificates at all, it’s usually some kind of web interface where you have to manually upload the certificate. At that point you might as well use manual mode from your own PC, and upload the challenge files by some other means.


#14

Which completely negates the automation goal and makes 90 day cert lifetime impractical. Yes we all know that xyz can be done manually. But that is not a practical solution due to very short cert lifetime.


#15

I know and thst’s probably a reason why LE is still in beta, because the compatibility is junk


#16

It is true that there are several sites that offer free certificates. But they aren’t adopting any of the unique Let’s Encrypt ideas, which have the potential to bring security to the entire Internet, almost automatically. I don’t blame you for giving up the wait, but for those who can wait a little longer, automated certificate management is coming. Community software development does take some time. Note also that WoSign is based in China. This might prove problematic for you over time.


#17

NOYB, Yes, the current state is like Alpha, very true. But short-lifetime certificates are more secure, which is why they were chosen. And don’t forget that their renewal will be automatic. They won’t act like short-term certificates.


#18

@david7364 well they plan to make it automatic, yes vut you cannot automate everything, for example in shared hosting.
also, why not give the option that when actually using manual that clonger certs (like 1 year) are possible.


#19

My1, Yes, I do agree. There is the issue of not being able to automate on strict shared hosting. Your point needs to be addressed, probably with partial automation and longer expiration periods.


#20

What were you expecting, exactly? For letsencrypt to magically install a certificate for your site? I hope for your sake that your server is secure enough that changing the configuration of the web server is something that does require elevated privileges.