Installing unsecure software to generate a cert?

There are plenty of references available for running a secure production environment.

If you are unfamiliar with such, that’s fine. And if you don’t want to run in a secure environment for your production server, that’s your choice. But teaching you about it here is beyond the scope of this thread.

Again, if you have nothing to contribute, could I ask you to not pollute the thread? Thanks.

2 Likes

@Andrew, while I appreciate your criticisms of Let’s Encrypt, you are being abusive to other forum members. That behavior is unacceptable on this forum. Please stop.

7 Likes

I certainly did not intend to be abusive to anyone - even in the face of the abuse I was shown - and I sincerely apologize for any offense which was taken.

  1. what software do you use to generate your private keys and CSR? Is it OpenSSL or something else?
  2. if you don't trust the LE python utility, you're free to implement an own ACME client. It's only a question of the protocol, not of the frontend.
  3. and - last but not least - you're free to run the LE client in "manual" mode on any other system and just copy the received certificate to your production system.

But: if you don't like Let's Encrypt, just buy a cert anywhere else or grab a free one at StartSSL or WooSign.

3 Likes

as @klk wrote,you can create your own ACME client, mine is a 350 line php script. that uses only php openssl and php curl.

2 Likes

@Andrew I agree with you that you should not be forced to install a certain software (modifying your configuration files) on a production server to use let’s encrypt and if you read the documentation it also is not at all necessary.

You can for example use the docker version of the LE client and run it on any other machine you want for verifying the domain. The only thing you need is a simple proxy_pass rule (nginx) to another host where you run the client or docker container if you also do not trust the docker container security.

I described such a solution a few days ago in the LE forum.

So in general I think your demand is reasonable but can be resolved easily.

3 Likes

well most CAs let you give them a CSR via the browser or similar from a far different computer and the validation usually occurs via either the administrative emailaddresses or the whois address, which means your server does not need anything, while with manual mode you have to post files on it (which shold be no problem but whatever)

well it seems to be wosign and they seemingly dont offer SAN Certs for free, each extra domain is 1,99 Dollars per year of validity, which isnt really expensive, but same as sssl it isnt free to do SAN or wildcard.

honestly LE should have the ability to create certs using a browser interface, wilcard certs and up to 1 year of validity.

1 Like

@jbvignaud would you be willing to share your PHP ACME client?

Things like that are what is great about the open source community, we can share the code, see what it’s doing and make an educated decision as to if we trust it or not. I personally reviewed the LE Client code, and made an educated choice to clone the repository and run it on my production servers. No one is forcing the use of that client on anyone. Closed source software, just like closed business/organizations (those who are not as transparent about their practices as LE) can’t be appropriately evaluated to make a decision to be trusted or not.

3 Likes

Mine is here: https://github.com/kelunik/acme. It’s just includes the basic components, other things will be in https://github.com/kelunik/aerys-acme once it’s finished. Maybe I’ll move something from aerys-acme to acme, because it’s generally usable, but let’s see. Will be an integration for Aerys once it’s finished.

4 Likes

aerys-acme doesnt seem to exist.

also how to use that PHP client, having a webinterface for cert stuff sounds epic, if you ask me

1 Like

I know, I’ll push it once it’s working, probably tomorrow. :wink:

I want to be CLEAR here.

There is NO SUCH THING as a secure environment. If a maintainer assumes their production environment is secure because they maintain strict control over it, then they are already setting up for failure. This includes environments in the Cloud, Hybrid, and Dedicated settings. In my experience, even the most mundane of packages could lead to full liability (bash anyone?)

With that said, Andrew, you are right to be concerned and rightfully so. Any time something new is introduced into a mission critical environment, extensive testing and vetting should be carried out. Never should something be introduced into mission critical production environments, with out a fail over plan for just in case something does go wrong. Though that is more along the concerns of downtime, and not getting hacked. That would be what data at rest encryption and backups are for.

–… Archer

1 Like

well but a software that is confirmed to be unstable, I see the reports and many seem to be not that easy, I’d rather use manual mode and there the 90 day thing is WAY less than practical.

1 Like

It’s still in beta, it’s not yet advised to run it on a production environment…

2 Likes

yeah but do you think they will resolve all the issues in a week, well actually I dont.
because if the thing will be used in production it needs to be rock-solid and that will take quite some time, probably…

Maybe they’ll push the GA again, I think that’s the better option actually.

nah rather make an issuance that does up to a year (if manual is used) and work on the automation while LE continues to grow.

I mean there isnt even a proper client for windows that supports anything other than IIS and even that isnt from LE but 3rd paery.

3 Likes

Third party clients are totally fine. Rather make it stable instead of just issuing long-lived certificates now.

well I’d say it should work at all from the start and be compatible and a client that only supports IIS on windows and obviously the main client which supports apache and nginx on linux (or manual mode) isnt really what I cann compatible. and as long as there isnt rock hard automation for everything there should be the possibility to make 1 year certs with manual mode especially since on shared hosting you CANNOT really automate LE into uploading your cert into some web gui that might change anytime.

1 Like

Right… shared hosting should really die…

Regarding supported servers: While using the webroot authentication method, everything should work just fine with other servers as well.

2 Likes