Installing unsecure software to generate a cert?


#1

Why does LetsEncrypt require the installation of several unsecure software elements just to issue a certificate?

I have dealt with various CAs in the past - none of whom require me to install anything on my server (especially not software which should not be installed on a production server in a secure environment) - to issue a certificate.

When will a production-quality, secure method be available for certs from LetsEncrypt?


#2

Just use https://github.com/diafygi/letsencrypt-nosudo if you’re not okay with their letsencrypt-auto script.
(note: run it in screen or tmux, it will require you to run some commands manually)


#3

Let me say it again, perhaps more clearly: even that requires installation of software on a production server that has ABSOLUTELY NO BUSINESS BEING THERE.

When will a production-quality, secure method be available for certs from LetsEncrypt?


#4

@mlp
Even if your solution was secure it would be impractical due to LE 90 day cert lifetime policy.


#5

Integrity of Software Downloads:
https://www.youtube.com/v/OZyXx8Ie4pA&start=273&end=343&autoplay=1&modestBranding=1&rel=0&showinfo=02


#6

That doesn’t requires any installation of software, just use of a python command.
You can run the letsencrypt-nosudo on any computer, even a non-production server. That’s its main benefits, the only command you’ll need to run on a prod server is a python command as root to pass the challenge.


#7

Some organizations include python in their production environment, for whatever reason. That’s a choice they can make.

It is not a choice anyone else is permitted to make for my production environment.

No other CA I’ve dealt with has this problem. I would expect better from LetsEncrypt, not worse.


#8

@Andrew If I am reading correctly then your reservations are the use of Python? is that correct?

I believe that they are not making a choice for what you run in your production environment and do provide means of off-server validation (needs confirming).

EDIT: Although some aspects must be done on the server side for validation a large amount can be done off server. Additionally there is documentation enough to manually create the server side stuff however you wish and manually if you so desired.


#9

@molyfra You appear to have completely missed the problem.


#10

@Andrew please enlighten me… I believed you were referring to the use of Python, perhaps I did in fact read wrong.


#11

Like I said. Even if your solution is secure. Manual interaction required makes it impractical due to the LE 90 day cert lifetime policy. LE 90 day cert lifetime is not practical for production environments that are not fully automated.


#12

@Andrew, please enlighten us as to what you feel would be a secure production quality solution for LE, especially given the 90 day expiry window.


#13

You can write your own program to integrate with Let’s Encrypt based on ACME, if you are really concerned about some software in their client. I don’t think that client has anything magic. What you need to do is to send request and resolve the challenge.

If you have no interest in doing that, and there is no alternative which meets your requirement, or you don’t want any automatic program at all, you can just use whatever CA you like which does not require any software installation. I believe COMODO issues 90-day free certificate as well.


#14

So your best answer is that LetsEncrypt is only good as a toy? That’s a shame.


#15

So what software are you using on your production server? How can you confirm they are secure enough? Or probably you just reply every http request by hand so that you don’t need any software there? :smile:


#16

Your attitude is definitely not helpful in any way.

I have used various CAs in the past, and NONE have ever tried to dictate software which they required me to install on my server - nor should they: it is completely inappropriate.

Is it a problem with the ACME protocol that limits use to non-production environments? Then perhaps that protocol should be reconsidered. I have never encountered any other CA which presents this problem: perhaps it would be wise for LetsEncrypt to consider adopting the solutions they employ.


#17

Right, that’s a problem with the ACME protocol. And this is also a problem of HTTP protocol, no? Before the web started to exist, you communicate with others via writing or talking. You didn’t need any software. Why we need installation of software in the production server just for supporting HTTP protocol to handle what we can always do with writing or talking?


#18

If you have nothing useful to contribute, could I ask you to not post, so that others who can contribute can have their posts seen. Thank-you.


#19

All I want to say is, if you really hate having certificates issued automatically via program, you are probably just not a target user of Let’s Encrypt. No one stops you from using any tranditional method to get certificates from other CAs.


#20

But @Andrew, Upsuper raises a valid point. How do you expect to go about it in a secure production environment worthy fashion?

The use of the Acme protocol / LE process can be equated to running nginx or Apache for serving your http requests, OpenSSL for https, sshd for sftp / ssh, etc…

How is its use (LE) insecure? How would you do it? How would you handle the rapid expiration of many certs? What makes it so insecure vs anything I mentioned above?