Let's make Let's Encrypt easy and simple

pfg, Thanks for the corrections. Sorry I find these distinctions so hard to remember.

I’m still not quite understanding how you are saying that LE is out of Beta, but CertBot is not. I’ve been writing here again and again about how the LE startup page is not very good, and getting some support for that view. If LE itself is out of Beta, why can’t the startup page just say that we are a CA and stop there?

And why is LE still claiming to install or renew a certificate, if that is actually done by CertBot?

If in your view LE is just a CA, then why is it any better than the other free CAs, like that one in Israel that has worked so hard to get itself set up right?

I think you are just the one to fix my confusions, so I look forward to your reply.

1 Like

ACME is a fairly new protocol. Many users wouldn’t be happy with instructions that said “Let’s Encrypt is an ACME-compatible CA. Our ACME server is https://acme-v01.api.letsencrypt.org/directory. Good luck!”. Until ACME becomes a standard that’s supported by multiple CAs and is known by everyone to a certain degree (see my earlier NTP reference), users will need some pointers with regards to the client ecosystem. Certbot happens to be the most commonly used and most active client implementations (plus, of course, it used to be made by the same organization behind Let’s Encrypt :wink:), so that’s the recommendation.

I haven’t actually seen this phrase anywhere on the site right now. Here’s what it says: “Certbot, the recommended Let’s Encrypt client, automates away the pain and lets site operators turn on and manage HTTPS with simple commands.”

A lot of this confusion is probably due to the fact that it used to be one project. Hindsight is 20/20. :smile:

Aside from other things (short certificate lifetimes, transparency, …), it’s the fact that it implements ACME, which is on track to become a standard for automated certificate issuance. This is what allows web servers like Caddy to provide SSL completely transparently without any kind of user interaction or configuration.

StartSSL has actually implemented something similar a couple of weeks ago (though for some reason they decided to roll their own thing instead of adopting ACME). StartSSL is also only free for non-commercial usage. WoSign is free for any kind of usage, but has rather low domain limits and doesn’t support automation.

1 Like

Lots of great information here, all new to me.

Caddy (https://caddyserver.com/) uses the LE certificate, and looks fascinating. It says it’s written in Go, which is Google’s C-like language. I’m always learning new things about software and development tools, usually completely by accident. Thanks!

Wikipedia hasn’t discovered CertBot yet, but it usually lags the world by a bit.

Personally, I think the greatest contributions that the LE project has made so far are ACME, which has the potential to manage certificates automatically, and being a CA for free HTTPS certificates. I’ve put this together over months (I discovered the LE site and its Windows limitations (it seems that most open software is written by people who can only program Windows using layers of simulators to make it look like Linux) before it even entered Beta.

Currently, I seem to have a bee up my butt about how poorly the Startup page does to inspire and excite visitors. That is my main focus in this thread, even though so many other interesting things come up, like someone claiming I don’t know what HTTPS is for, then leaves without telling me.

I’m glad that CertBot got spun off, because it needs a better focus to its software management. But I believe that LE still has a goal, besides being a CA, and that is transforming the Web from HTTP to HTTPS. No one seems to be saying this much, even when I call for a mission statement, an explanation suitable for Wikipedia, and for better documentation of the LE website.

The project is run as though all its volunteers are software hackers, and this bothers me for some reason. I tried to sort out my critiques above, but I guess I haven’t done a good job, because I don’t see anyone besides me getting excited over what better documentation and user experience could do for the projects, and, conversely, how the current unexpected problems in understanding and implementation could threaten the success of our goal (which is not ACME, not CA, but transforming the Web into a secure infrastructure in which to do business, personal finances, and so on).

If StartSSL and LE are similar, let’s be sure our documentation is at least as good as StartSSL’s.

One more question, if I might: why do people here keep talking about TLS when SSL seems to be the technology of the future? What am I missing?

1 Like

You’ve got it backwards: SSL is old and insecure, TLS is its more modern and actually secure successor. Although many people still call it SSL.

1 Like

Really? Let’s Encrypt’s website isn’t considered a reliable source on Let’s Encrypt? I understand the general statement that websites and blogs are not reliable, but I’d still consider apache.org a reliable source for the Apache web server, or freebsd.org a reliable source for Ports.

It’s seems odd for Wikipedia to have blanket rules like that.

I personally think the promise of “one command” is a promise that has no practical value.

It’s not about how many commands there are or how many clicks it takes, it’s how accessible the process is to low-skill users. I mean, what is the benefit of “one command” if that command is huge with convoluted options obfuscated flags?

I’d prefer a multi-step process that seamlessly flows with clear options/choices guiding the user towards obtaining their certificate. That’s a much more practical goal.

That’s very true! A great deal of the confusion in the forums is about conflating the service and the client. I think it’s great there is now a clear distinction between the two.

Isn’t that what the key principles are about? I would have thought they’d transfer well to Wikipedia - half a dozen points with a single sentence explaining them.

To build on what cool110 said, SSL (Secure Socket Layer) went through three revisions, each progressively being cracked over time. Nobody should be using SSL at this stage. Building on the existing spec became more and more restricting and difficult, so TLS (Transport Layer Security) was born. It’s much more flexible and future proof spec, and is able to adapt at technology changes.

While there is no demonstrable real-world attack on TLS, TLS1.0 is looking less and less secure, but TLS1.1 and 1.2 are still looking good! (My LE secured site supports only TLS1.2 without any compatibility issues.)

1 Like

DarkSteve, Thank you for your reply; I agree with your points so far as my knowledge goes.

Yes, Wikipedia’s success is based on a set of very rigid policies (in spite of at least half its pages being so old that they reflect only what the first editors wrote, which may not comply with the policies). To give you an example, a client of mine wrote a WP page about a nonprofit organization that I run. When policy-enforcing editors discovered the page, they promptly followed the policies for deleting a page and deleted it. The article was well-written and had citations, but the references were mostly to the website for the organization. WP requires a newspaper article (that has presumably gone through journalistic fact-checking), or something equally reliable, as a citation. Otherwise, any company could slap marketing drivel onto WP and define itself with any claims it wishes.

Sorry to everyone for interchanging TLS and SSL in my mind. My memory is not so good, and I don’t actively use what I’ve learned about certificates, HTTPS, etc., in my daily work.

I especially agree with you that “one command” is not as meaningful as “a simple, step-by-step procedure”.

When I start seeing postings thanking EFF for a 10-minute conversion of a website to HTTPS, then I will know that CertBot fulfills its claims. I already know that LE provides certificates as promised, and that ACME works, but that is not enough of a success to be of practical value, in my opinion. The lofty claims and promises of the LE website have no limitations of any kind listed, and in my opinion there are no practical instructions yet in any startup page to guide anyone to converting a website in 10 minutes (which is my way of interpreting all the current claims and promises).

1 Like

To everyone: I have added a new Principles section to the existing Wikipedia article on Let’s Encrypt, at https://en.wikipedia.org/wiki/Let’s_Encrypt. This is copied from the LE About page, thanks to pfg.

Note that it includes the word painless. Other than that one word, which is not yet justified by reports from people who have tried changing a website to HTTPS, I believe it consists of correct claims about the LE project. If anyone can think of changes that need to be made, make the changes to the About page (https://letsencrypt.org/about) and then let me know and I’ll be happy to edit in the changes to Wikipedia.

1 Like

https://certbot.eff.org/, in principle, works perfectly for that goal. The fact that there are more than 3.6 million certificates currently already issued, compared to a handfull of topics in this community, says it isn’t that difficult most of the time. Only a small percentage of users has some sort of problem. Although documentation could be improved, ofcourse, it isn’t possible to consider every precondition which might lead to some problem. In your posts you imply you’ve got to be some sort of genius to get a LE certificate… Sorry, but that’s simply not the case. 3.6 million issued certificates proves that IMHO.

1 Like

Osiris, I cannot agree that a large number of certificates means anything other than that LE is a successful free CA (like several others). Why are the LE and EFF servers and clients not instrumented to report on how much total time they take to obtain and install a certificate? Why are we not inviting users to report their experiences, both positive and negative?

Like so many other organizations who don’t measure what they do, we really know nothing, other than that LE is a successful free CA.

As we grow larger, will the problems overwhelm us, or will our success grow? We actually have no idea until we measure. Quality, in general, requires measurement.

1 Like

How about --help or https://certbot.eff.org/docs/using.html#command-line-options?

I always wonder why people want to run web servers and HTTPS without even the most basic understanding of a Linux system. What are the chances the result is going to be a secure and resilient system? Wouldn’t you be better off buying service from someone who knows what they’re doing, if this is all so confusing to you?

Since LE provides no other means of getting a cert except via their API, how would millions of successfully issued certs not mean that a large number of people have no problems using that API via any of the available clients?

Who is “we” now? Have you become part of the LE project overnight?

The fact of the matter is, server administration requires a certain level of skill. It makes no sense to lower the skill cost of LE below that level, because then one can get a LE cert but still runs a lousy server.

If all you do is run a website instead of a server, you should ask your provider to provide the necessary plugins. Otherwise, vote with your wallet. A quick Google search shows results for both “cpanel letsencrypt” and “plesk letsencrypt” so there shouldn’t be any need to touch any of the “confusing” stuff.

Your interface to getting a cert should be your management tool and not LE directly if you’re just running a website and you’re not touching the server.

1 Like

TCM, Here are my responses:

"How about [using] --help or https://certbot.eff.org/docs/using.html#command-line-options?"

Yes, people should try out Help, and search for a man description of the command or the equivalent. Of course. But this does not relieve us of the burden of documenting what a command does right there on the Startup page, as I have discussed above.

I never said that running a server should suddenly be done by ignorant or inept people now that LE is available. I did say that there are plenty of problems being reported, and few (if any) success stories. I did say the documentation is still confusing even to experienced people, and others have provided evidence of this right on this thread.

I don’t object to clueless people hiring others to use LE on their behalf, but if LE promises easy usage for anyone running a webserver, it should deliver easy usage, period. That means easier than the standard manual methods. If it does not deliver that, even due to poor documentation, it needs to promise something different.

“Since LE provides no other means of getting a cert except via their API, how would millions of successfully issued certs not mean that a large number of people have no problems using that API via any of the available clients?”

My understanding is that LE can function exactly as any other CA, using OpenSSL local primitive operations, for example. If all those certificates were issued only using ACME servers, I’d like to see a reference to this fact somewhere on the LE website, by someone other than you. This is the first I’ve heard of this limitation to LE as a CA.

" ‘As we grow larger, will the problems overwhelm us, or will our success grow?’ Who is ‘we’ now? Have you become part of the LE project overnight?"

No, I’ve been around here for several months, trying things out and trying to help in my very limited time. Did you forget that this is an open software project? That means that one considers oneself a part of it if one contributes. I’ve spoken up whenever I’ve seen possible limitations or problems that I thought deserved some light cast on them. This entire thread is my attempt to improve the initial documentation about LE that people currently see. I believe I am entitled to feel part of this project, and I’ve said so in connection with my Wikipedia article improvement, described above. If you’d like to kick me off of the project, I think I’d enjoy going away and not having to defend myself so much.

“The fact of the matter is, server administration requires a certain level of skill. It makes no sense to lower the skill cost of LE below that level, because then one can get a LE cert but still runs a lousy server.”

Well, sure, of course. Read my postings and tell me where I’ve suggested that the skill level of a webmaster be lowered. What I’m suggesting is that our promises should be what we deliver, and that our documentation should record exactly what we deliver in a way that lets people realize our promises. That means that ordinary people who run webservers should be able to obtain and install a website certificate in a few minutes, with no real problems. In fact, I don’t think we have any research or measurement to show that we truly deliver this experience. I am acting as ‘devil’s advocate’ to focus our attention on what we currently promise and what we currently deliver.

“If all you do is run a website instead of a server, you should ask your provider to provide the necessary plugins.”

Of course. I have not written about those who only run websites. They are not our audience, meaning that our promises are not aimed at them. Our Start Here documentation could make that a little clearer, in fact.

“Otherwise, vote with your wallet. A quick Google search shows results for both ‘cpanel letsencrypt’ and ‘plesk letsencrypt’ so there shouldn’t be any need to touch any of the ‘confusing’ stuff.”

Sorry, I hadn’t noticed that CPanel plugins are now available for LE. I seem to get all my news by accident. I wish I had the time to try them out. In any case, WHM itself will soon support LE, which should provide a guaranteed easy interface for LE.

The purpose of this thread is to improve our documentation to match our claims. This has not yet been completed, in spite of specific suggestions by several people. I invite you to discuss improving our Startup page more directly. What is currently missing? What is currently wrong? How would you improve it?

That’s only natural. Only a very small minority will sign up and post just to say “Thanks, everything worked as expected!”. That’s not a good way to measure success. The fact that Let’s Encrypt has issued more than 3 million certificates, and that the majority of those domains (>90%) hasn’t had a certificate before, is a significantly better indicator for success, in my opinion. Additionally, we see adoption from major web hosts (OVH) and other sites (WordPress for hosted blogs with custom domains). Are there problems? Sure, I haven’t seen a project without any problems. Since we’re already comparing numbers that make very little sense, if we go by the number of topics on this forum and compare it to the number of unexpired certificates, it appears that the ratio is 2,400:3,000,000. I’m pretty comfortable with that number! :smile:

Can you point me to any service with a similar kind of goal (not in the same space - anywhere) that achieves this 100% of the time? It’s certainly not my experience (actually, just the opposite).

You’re comparing apples to oranges here. OpenSSL is a tool you use to generate a private key, certificate and what not. It will not provide a way for you to submit that certificate to your CA, manage your CA account, verify your domain ownership, etc. That’s usually something CAs or their resellers build, mostly as part of their control panels and what not. That’s what ACME does, on a protocol level, while allowing automation. ACME is the only way to get a certificate from Let’s Encrypt. That is not to say that third-parties aren’t building the same kind of control panels on top of ACME for their customers - in fact, that’s exactly what many are doing and that’s a good thing!

I believe documentation is important, and that it should be as good as possible. I think the best way to contribute to this goal is to either improve it directly or provide actionable suggestions, much like @denaje did in his post. The best way to work on things is to break it down to small units and improve them bit by bit. In my experience, long, wide-reaching and abstract discussions on topics like these rarely get anything done.


The whole point of LE is automation via the ACME protocol. Do you see a form anywhere allowing CSR submissions? It seems you know very little about the project you’re supposedly part of.

1 Like

People being able to issue that many certificates is not, only by itself, a measure that a large number of people are not having problems with the process. It's only indicating how many certificates are retreived. I do agree that it's impressive when it comes to enlarging the number of secure sites.

David7364 is pointing out that better documentation will improve the chances of users being able to avoid or overcome potential problems. As far as I know there aren't any stats regarding how many users attempt to use an ACME client but fail. Better documentation also improves the chances of users being able to retrieve a certificate and configure them correctly. Also, it improves the chance for users being able to successfully renew them.

1 Like

No, but the number of threads asking for help is. Unless you suggest that there is a large number of people who are having severe problems but are not opening a thread here, I see no basis to assume that these "problems" are real.

1 Like

Responses to various folks:

Response to pfg:

You seem to be repeating objections I have already responded to and ignoring the more important basic issues I have tried to raise in this thread. I have tried to focus on our current startup documention, measuring quality, and other related issues. If two people here only wish to respond to what they perceive as my mistakes, then I will accept that. I do not claim to have a perfect knowledge of LE or anything else.

Response to pfg and TCM:

It does look like I am wrong about the large number of successful certificates issued, if it is really true that LE CA servers cannot respond to a manual certificate signing request (CSR) and keys by creating a valid certificate that can be installed manually. Can someone here who really knows verify that it will not do this? I already know that ACME is the whole point of LE, but LE also claims to be a CA, so I have been assuming that it will accept a CSR. Please, someone else respond on this.

Can we possibly get back to the topic? Note the support for my more important points from Svavar_Kjarrval and others previously.

Response to TCM:

I can’t agree that not having hundreds of thousands of problem reports means that LE is as easy and comfortable to use as we claim. Good technical people have learned to solve problems themselves and not waste time complaining. We need better ways of measuring success, not deductions having weak premisses.

Also, I did not just say that there are many problems reported on this community forum and few successes–obviously few successes would be expected in a forum that helps people with problems (but just a few people expressing great gratitude and appreciation would also be expected, and I don’t see those). I said, in addition, that we need to measure the effectiveness of our Startup page to see if that one short page can truly allow an experienced webserver/domain name owner to convert easily to HTTPS in a few minutes (or a few seconds!) as claimed.

General comment:

The issues that pfg and TCM focus on are not the central issues that I have raised. My warnings about LE’s problems remain, apparently ignored. That is my perception and opinion, not a fact, and it may or may not be true. If it is true, then there could exist problems with LE that could cause faltering or failure in the future, when we start getting more serious, in-depth reviews in the popular technical websites on the Web, and other evaluation.

These problems need to be evaluated and addressed now, by the LE project itself, particularly with respect to the first pages seen by visitors to LE. Limitations and restrictions must be listed. Advice about commands to be used must be complete and actually work within the claimed time, without a difficult or painful experience, and within the stated restrictions. Instrumentation (polls, surveys, and experiments with people who have no previous experience with LE/CertBot) to verify our quality in fulfilling our claims should be developed and put in place, instead of relying on the large number of certificates issued to feel satisfied with our status.

I will fall silent now, unless I have new suggestions, because I wish to stop participating in repetitions which go nowhere. Thanks to everyone now and in the future who take my ideas and run with them for the improvement of LE.

1 Like

Of course you can manually specify a csr and submit it to ACME. Use certonly and --csr for this.

1 Like

You claim that there are “few (if any) success stories” and that Let’s Encrypt is only approachable for those who are already quite familiar with SSL and already have certificates. I have pointed out that more than 90% of certificates are for domains that never had a certificate from any CA before. I have not seen you respond to that.

Again, that’s comparing apples to oranges. Yes, CAs accept CSRs. Yes, Let’s Encrypt is a CA. Yes, Let’s Encrypt accepts CSRs. The CSR is part of the ACME protocol - the means through which Let’s Encrypt accepts CSRs is ACME. ACME solves this problem, as well as account management, domain validation, revocation, etc. There is no other way to get a certificate from Let’s Encrypt. I’d recommend taking a look at the acme draft to get a clearer picture on this.

That’s a very unfair assessment, in my opinion. What is needed is actionable feedback. Both the Let’s Encrypt and the certbot team are more than happy to make changes based on feedback (as they have demonstrated based on denaje’s post). Pointing out specific things that are missing, unclear, just plain wrong or that need to be structured differently would be a great start. With the understanding that Let’s Encrypt is, more or less, “just” a CA that happens to implement ACME, and that there are a number of separate client implementations (one of which happens to be the recommended client with automatic configuration on some, but not all platforms), what do you want to see on a “Getting started” page?

1 Like

rugk, That is what I thought. So it is possible for anyone who simply wants to save money to obtain a certificate from LE manually, bypassing the automatic installation and renewal. There are many spammers, distributors of viruses, curious people, and legitimate webserver maintainers who might have obtained certificates without really using the full automatic service that LE offers. Yes? No?

1 Like

You’re mixing up ACME with the automatic configuration provided by some clients like certbot. That part has nothing to do with ACME - it’s a feature the clients provide. All those clients use ACME. ACME doesn’t force you to automatically configure your server - it just allows you to automate the process of acquiring a certificate.

To put it another way, every single certificate issued by Let’s Encrypt was issued through ACME.

(I’m not sure how spammers and malware distributors got into this topic?)

1 Like