Sorry in advance for the huge post.
Don’t apologise! It took me an embarrassing amount of reading before I felt confident I knew the difference between a protocol and a cipher, and how the key relates (or doesn’t) to both. Throw in a bunch of acronyms and it’s not surprising most people misunderstand. I still make mistakes that cause eyes to roll in the forums.
Yeah, there is a large amount of assumed knowledge on the part of most documentation. It’s not all unreasonable - if you’re capable of setting up a server and using the command line, the documentation is actually pretty good.
The problem arises when the majority of people aren’t running their own server and they’ve never used a command line. Hosting services are common, and there are plenty of people using Windows as a server and have never had to use the command line. I’m not surprised there’s currently no easy step by step guides that work for everybody since the possible combinations of situations is astronomical.
Of course, as the available clients mature they’ll be able to fill in more and more blanks for the user, give better error/feedback messages, and be generally more robust. But even then, the user will have to know what clients are available for their systems, and not be required to clone git repositories and the like (or even know what git it).
I guess I’m saying that Let’s Encrypt (the CA) is barely 6 months old. It only came out of closed beta testing at the beginning of the year, and the documentation has improved remarkably in that time. The new certbot website is excellent - you choose your OS and web server, and it provides pretty simple instructions (at least it does for FreeBSD!)
Of course, it provides very little help if something goes wrong, but as @pfg said earlier, the questions being asked in this forum are a very small percentage compared to the number of certificates successfully issued. As the clients mature, less and less will go wrong.
I also think we need to avoid the Nirvana Fallacy, and get rid of the idea we need 100% perfect guides for everybody. Cars are pretty simple to drive, but there are still people who struggle to get a driver licence!
Success will grow! The official client is still in beta, it can only get better. LE is already pretty successful and software and documentation is constantly being developed and improved upon. I haven’t seen anything that makes me think there are problems that could overwhelm us. As long as fewer and fewer users are having issues (as a proportion of the overall userbase), we’re heading in the right direction.
Probably because many of them aren’t using linux and have never seen a command line. Most of the people I see asking questions in this forum are using hosting services and don’t actually run their own servers. Those that do will often finish the thread with a “Fixed! I simply forgot to …”
Me too Don’t let the naysayers discourage you! But at the same time, don’t think the docs or the implementation is worse than it is! Pfg is right, very few people have trouble, and of those that do (e.g. in these forums), most ultimately get the results they’re after.
Uh, I’m not why the answer is important. Pfg’s point was that the issuance numbers aren’t inflated by repeated attempts or renewals, 90% are people successfully obtaining the certs they’re after the first time (which is the goal - don’t get distracted!) Whether they use those certs for good or evil is irrelevant, just like nobody worries whether somebody is using their driver’s licence to drive the getaway car in a robbery.
I’m not sure what the issue with that is - the majority of people using LE don’t know what a CSR is, much less want to use their own. Those that what to generate their own and use it aren’t going to have issues simply using a CSR flag with the client. This is a small fringe case that doesn’t really need to be disproven. If you can generate a CSR with openssl, then you can use a CSR flag with certbot.
That’s less and less of an issue over time. I’ve never used “git clone” in my life, yet I’ve just renewed my multi-SAN cert that I obtained months ago. Git is great if you’re on an unsupported system, but LE clients are increasingly available as packaged apps. I’m on FreeBSD, and I can choose between the official client and a third party client directly from Ports/Pkg. Linux systems are the same, with multiple clients available through whatever package management systems they use.
Although you’re right, that “git clone” line probably shouldn’t be there, it’s a hangover from the early days before certbot was easily available. “Git clone” will work on just about any *nix system, so nowadays it’s basically a fallback position.
That’s a bit disingenuous. Yes, for the majority of people they do actually work that easily. The many difficulties reported in the community forums are tiny in comparison to the millions of certificates successfully issued. That’s why pfg quoted you the numbers with 90% being new domains - that’s 90% of millions of successfully issued certificates, which is the goal.
Now of course, that number may have been higher if the client and docs were better, but that’s a work in progress (on a project that’s only been publicly available for 6 months!)
No, that plugin is part of certbot, you have nothing to obtain. At this point it’s hard to tell if you’re playing Devil’s advocate or not!
You seem to have worked yourself into a mindset of this all being too hard. It’s really not. The documentation is not as unclear as you’re presenting and the clients (official and third party) work well. Much of what you’re saying is very vague and non-specific. I know you’re not a document writer but if there’s a specific issue with the docs then let us know.
Shoen and other maintainers have been very receptive to people asking for clarification or amendments to the documentation. Documentation is improved when people ask for specific omissions to be filled in or for unclear writing to be clarified. You just have to ask when you find it.
Bugger! I’m really sorry to hear that.
I’m trying to respond to your posts respectfully and considerately because I can see you’re not just complaining, you’re actively trying to contribute. I really appreciate that. I hope all the negativity in this thread doesn’t discourage you too much.