Let’s Encrypt and TLS automation flaws

Let’s Encrypt is the leader of TLS internet security automation, here is where it fails.

Background:
Let’s encrypt allows us to authenticate using one of two methods:
You can bring up a temporary http server on port 80
Alternatively you can give it the file path to the web root of the domain, which also requires port 80

The flaws:
I am currently faced with a complicated problem, let me give you some background on my basic secure set-up. I am using FreeBSD release 11(don’t use stable) with BSD jails for security. In one jail I have a FAMP stack, with Nginx handling TLS certificates and providing a local proxy to an obscure apache http port.

Every time I need to renew certificates I need to bring Nginx down run the temporary authentication server and start Nginx up again. This usually takes less than 5 minutes.
having to do this once every 3 months I thought it was acceptable to bring the website down once every three months some time on Sunday night or Monday morning.

That being said, as I continue to progress in having a solid server, I thought it was time to authenticate using the second method. The second method creates a hidden directory in the domains web root provided by the user. Unfortunately for me I modified the .htaccess file on all my web roots to disable access to hidden files and folders. I could go back to to the .htaccess file and either make an exception or remove the restriction, but why should I? I installed Let’s Encrypt in the hopes of securing the server not making it vulnerable. Maybe I am just ranting because there is a better way and every webmaster is aware of it, a none hidden file in the web root with a hashed name.

Flaw Number2:
Might as well get all the bugs fixed at once right, well there is another problem. On that same box I have a mail server(I know…) on a different jail. I would like the jails to be autonomous for security purposes, that being said this jail has no access to port 80, and it never will. It would be nice if I could use yet a third method of authentication that does not require port 80. It’s not just this complicated jail set-up that requires this third method of authentication it allows users to renew certificates with out bringing the server down if they are using a http server that does not have a writable web root(is that even a thing?) like the Scala Play Framework. I doubt websites like Ford.com, Jeep.com or Amazon.com have a hot modifiable web root. Let’s Encrypt should be made for everyone!

Hi @Alvaroisit,

This is a mistaken description. Let’s Encrypt allows you to authenticate using one of three methods:

HTTP-01 - serving a specified file via HTTP on port 80 (using an existing web server or a temporary web server)
TLS-SNI-01 - serving a specified certificate via TLS on port 443 (using an existing web server or a temporary web server)
DNS-01 - serving a specified TXT record in DNS related to the domain name for which authorization is being requested

Using port 80 is only one of the three methods. From the CA’s point of view, using an existing vs. a temporary web server doesn’t matter; that’s a client implementation detail and the CA doesn’t know whether the web server that satisfies the challenge is the a web server that would “normally” be receiving connections or not.

2 Likes

We have also had previous discussions on this forum with other people who didn’t care for the dot at the beginning of /.well-known. This name is used because it’s an Internet standard.

https://community.letsencrypt.org/search?q=rfc%205785

1 Like

I second @schoen

I don’t believe these are flaws rather your configuration and possibly your understanding of the ACME protocol and the functioning of the Certbot Client.

For example why are you not using the NGINX Plugin ?

The stats also don’t back up your theory https://letsencrypt.org/stats/

If the Protocol (ACME) and implementation of it (Let’s Encrypt CA) was as flawed as you said it would not see such wide adoption and growth rates.

Andrei

Sweet, perfect. I stand corrected. Where can I find the manual or guide for setting up the specific TXT file on DNS-01?

This is all specific to the particular client that you’re using. :slight_smile:

Which client are you using? acme.sh probably still has the best overall support for using the DNS challenge (but not as much support as Certbot for automated renewals, as far as I know).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.