Let's make Let's Encrypt easy and simple

@DarkSteve, why do you sound angry with me? if let’s encrypt wants people to use their product to help move encryption forward at a greater pace, then their software and documentation needs to be easy to use…it is not. I think that’s why this thread was created. there have been similar issues raised in the past about the friendly nature of trying to use let’s encrypt…

wanting people to search for threads on a forum to help get software installed isn’t what I’d consider making the software easy to use.

edited to add: I definitely appreciate the time and effort going into the project, for sure.

It is. Most of the time. But as usual, there are a lot of different possibilities in server configuration. Most of the time, you're set within a few minutes. But the documentation can't cover every single different server configuration. So yes, for some people it's gonna be a little more different. But can you blame LE/EFF for that? Should they cover e-ver-y sin-gle server config? Or is a coverage of 99% enough? You can also argue people are responsible for their own non-standard server configuration..

Osiris, I agree that neither LE nor EFF should address every possible configuration of every possible webserver. But there should be detailed documentation explaining the principles of making LE/EFF work in any situation. Instead of promising “no pain”, LE/EFF should promise something more reasonable and achievable.

This is not like a programming language, which can be expected to work immediately upon download. The documentation should be much more detailed, not just grandiose promises. This is all my opinion.

I definitely agree with you that every single configuration cannot possibly be supported or written out in a guide because that list would never end.

all that said though, I just went through the ‘getting started’ page a minute ago and it’s vastly improved since I last looked at it. kudos to the team for that.

I think the doc could be improved by explaining in more detail what’s going on with the commands being used - switches, the different types of ways to obtain certs, which iteration of the command you should use if your site is behind a proxy like cloudflare or incapsula, how to set up a crontab to automatically run the renewal script, etc…that all helps to keep people on THIS site rather than looking at other sites for guides.

Just check it out by yourself. BTW: Could you name me this "harbor countries"?
If looking through the whole CT log is too much for you, look at the stats. Have a look at the most commonly-used TLDs and ask yourself: Are .com, .net and .de such harbour countries for criminals?

That's not spamming, that's web scraping or vulnerability scanning done by bots.

Still don't know what criminals/spammers/whatever have to do with making a simple web UI, but well... Rather get on-topic now.

Well, after a few weeks - life interfered - and two more days of Google, trial and error, and frustration, I seem to have a secure web site. Or at least a secure Apache placeholder page.

Or at least an Apache placeholder page that this says is secure, but which Firefox thinks is not due to “mixed content.”

Thank to the authors of the twenty-seven different web pages and how-tos that I have bookmarked for future reference.

I’ll wrap this up with a some specific observations. I’ve worked in a few highly technical situations, including training and supporting end users, and even drafting documentation, so feel I can speak out on this.

1. This is important stuff, not some half-baked Wordpress plugin that rotates cat pictures. If the certificate is not configured right the consequences can be large and dangerous.

2. To the vast majority of end users there is no distinction between “LetsEncrypt” and “Certbot.” The LE pages imply that the latter is a function of the former, and any ordinary person will assume that they are one project.

End users don’t need or want to be lectured on the distinction. They just want to make the thing work.

3. It’s pretty obvious that LE/CB expect a moderately high level of knowledge, and some specific levels of user access. These things (as has been pointed out) need to be front and centre on the “Get Started” page. (You need This software installed; this level of access to your server; and the skills to do these tasks.)

If the folks behind LE/CB don’t want to support less skilled users they should post a big, nasty warning to scare them off.

4. Regardless of who LE/CB wants as end users of their products, there has got be a single source for reliable, authoritative information. In a crunch it should be possible to get most common questions answered on either the LE or CB web sites.

Trolling though dozens of Google results is almost always a recipe for disaster.

What I will suggest, based on a lot of years of different projects that are structurally similar, is this:

Whoever is making decisions at the topmost regions of LetsEncrypt and/or CertBot need to sit down and decide who their intended user base is.

It doesn’t honestly matter whether they want to serve the high priests of server land, or the guy with a five page GoDaddy web site on shared hosting, but it does matter that, having made that decision, they ensure that resources are available to draft the best possible support materials, suitable for the skills and knowledge level of the intended audience.

Until then there’s a strong indication that language like “It’s free, automated, and open” and “automates away the pain and lets site operators turn on and manage HTTPS with simple commands” should be removed because it seems to misrepresent what is being offered.

And one final note. “Well, it worked for me,” is not, and never will be an adequate response to anything.

Appalbarry, Thank you. Finally, a real person who really tried it all out and tells it like it is. I like that you write near the top of this thread that people are currently expecting a “one-click” solution, based on the home page, and not finding it. I hope that whoever can edit the home and startup pages will do a complete rewrite or find someone who can. In my opinion, we either need to tone down our promises to fit the current software, or improve the software to fulfill our promises. If it is supposed to just work ‘out of the box’, and doesn’t, how can this be kept a secret? I don’t see those central to this project doing experiments to measure or demonstrate usability. I see only grand claims and beliefs. Then they blame me (busy with my own life and nonprofit organization) for not being “specific” in my criticisms. I’ve been specific in almost every posting of mine on this thread. People should really listen, early, to those who reveal flaws, not sweep them (the people or the flaws) under a rug. Again, just my opinion.

Your mixed content warning is unrelated to Let’s Encrypt. It means the site mixes secure and insecure content, typically because it uses images from a non-HTTPS website. The test you linked from SSL Labs has diagnose that your secure web server is set up correctly, which is the part Let’s Encrypt helped with. The good news is that “mixed content” is an issue you don’t need to ask about here, it’s a general web dev type question, one anybody with any sort of secure server might have just like if you couldn’t figure out how to add an image to a page, or were trying to debug a PHP script that doesn’t work.

Breaking out “certbot” the client and Let’s Encrypt the service was done deliberately, albeit belatedly. It doesn’t help to try to squish them back together now. LOTS of people are successfully using other Let’s Encrypt clients, questions about that are on-topic here, but wouldn’t be covered in a FAQ about certbot. I think you’d have less confusion if that distinction had been in place from day one, not more.

The average user doesn't know. I'm not saying the issue has to be covered by the project but at least it should refer the user to a site with further information to resolve this issue.

I'd say the certbot EFF page needs some kind of interactive "flow chart"-like structure. First welcome the user and next ask questions which can be answered simply by clicking "Yes" or "No" or click the appropiate button (i.e. choose a OS or webserver). And for every "flow" there's an approiate answer: "Sorry, at the moment CertBot doesn't run on the Windows OS" or "You might run into problems, because you've pointed out your webserver configuration is non-standard" and of course a page just like the site has now if all questions are answered and there's no reason to assume any problems.

Osiris, I agree. Someone should transfer your posting from here to the EFF Certbot website. To clarify, they could also use a separation between home page and “do it now” page, like LE has. I would do this posting myself, but I’m busy. Is anyone else here free?

90% of the "domain names" might not have had certificates before, but it doesn't mean that the "people" managing those domains never got certs before.

I personally have gotten certs for domains before. Know the traditional process well.

I also manage other domains that I never bothered getting certs for because I didn't want to spend either the money or the effort.

When I found out about letsencrypt, I used it to get certs for those domains. So, while the 6 domains I got certs for with letsencrypt fall into that 90% statistic, in my case what Appalbarry said is still true. I am quite knowledgeable and skilled when it comes to certs, and yet I have a really hard time figuring out how letsencrypt works due to confusing documentation. Not to mention the changes between letsencrypt-auto and certbot-auto don't seem to be documented and required a lot of trial and error.

I posted a question on these forums a couple of days ago about it, but haven't gotten any replies yet.

aptalca, I apologize that you haven’t gotten help as yet with your current issues. The developers are not paid for their work, and in some cases are very busy with their day jobs. Thanks, though, for providing another voice in support of improving the current rather inadequate documentation.

Thank you @david7364 for saying what I’d like to say after 3 days of being confused! Finally I decided to ask help from my hosting about installing LE on my website and now waiting for their response. I’m not seeking help by this post, I just want to add to this topic that Nowadays many website owners are people like me who have no knowledge of computer programming, web developing, etc. At the first it was unclear whether this was doable for my situation or not. I didn’t even know where I should write the commands! Somewhere one said if you don’t have server root access it’s not doable by you. Another tutorial said it’s doable for shared hosted websites(like mine) with ssh and ssl management access on cpanel but after all I had no success following different instructions and I gave up because those commands were not recognized by SSH and even just one of the steps were not done!
Sorry for my poor English!

That is a very valid point.

But in my opinion, installation of a requested TLS certificate, including the (re-)configuration of the Web service software (Apache, Nginx, etc.) should be done by a Web Server administrator. Not by a Web site content provider.

It's also my opinion that Let's Encrypt should make this very clear to first time visitors of the Let's Encrypt Web site in an intention to Manage User Expectations.

The two roles I mention above are two quite different things, with very different skill-sets. Both are important. Sometimes, but not always, the two roles can be provided by the same person.

The problem seems to regularly appear when a (probably very competent) Web site contents provider tries to obtain and install an LE cert, plus reconfigure the Web server software to correctly use the certificate, without having that particular skill-set.

Manage User Expectations!

Roza, I know how you feel. Even as a professional software engineer (I’m retired now), sometimes when beginning work with a new technology or a new product, there were very frustrating times. Visiting a website to get help could also be very frustrating if the technicians or engineers or participants could not be empathic. If they could only say “read the manual” (RTFM) or “ask a more specific question” or just completely misunderstand the question, frustrations could multiply. That is why I think clarity is very important for a project like LE, whose goal is ambitious. If visitors to our website get nothing out of it but frustration, then we cannot claim to offer a “one click solution” to making a site communicate via the HTTPS protocol. Some posts here claim that we don’t want people with no knowledge trying to run LE; that does make sense. But other posts claim that our documentation is just fine–that we do currently offer a one-click solution. You can’t have it both ways, because these claims are contradictory.

But have no fear–this technology actually can be made “one-click”, it just takes a little more study, and perhaps a little AI thrown in. The CPanel people (and probably other hosting tool makers) are currently working on extending CPanel to install a free certificate using LE/Certbot. And many hosting companies have already gotten up to speed so that they can install using LE if asked.

It is just a matter of time before LE gets “cleaned up” so it documents exactly what it does,. I just raised the issue here to push it along a little.

TCM, Would you mind being civil? Instead of calling me names, write specifically about how AI (knowledge-based algorithms) is not relevant to what I was writing about? I don’t mind a discussion. I do mind name-calling. Behave yourself properly here. I think I have useful things to say, and I don’t appreciate being derided.

Saying that your suggestion is ridiculous (or any other adjective) is not calling you a name; it is commenting negatively on your suggestion. On its face I'm inclined to agree with @TCM's assessment, but if you'd care to describe how you think AI might help, rather than just complain that he doesn't like your idea, it might help move things along.

I think you have some useful things to say. You also have a lot of what appear to be bizarre non sequiturs that you don't appear to be interested in discussing once you've tossed the ideas out there.

TCM, AI is not “babble”, it is a technology used all the time. For example, the Certbot home page uses an elementary form of AI (case analysis) to adapt LE to the specific platform of the user. My postings are not “off-the-scale laughable”. I am not a “troll”. And, if I don’t know “the hell” what I’m talking about, just correct me instead of attacking me, particularly in such a public way. The LE project needs to do something about these continuing impolite attacks.

danb35, It seems to me that truly fulfilling the current LE promise of a “one-click solution” to acquiring and installing a certificate (ignorning the remaining part of the promise, that LE certs are free) requires putting a great deal of knowledge into the LE tool that implements the one-click promise. Currently, Certbot does have elementary expert knowledge (which uses selection boxes to input the overall platform from the user), which is a great first step. But more will be needed to fulfill this grand promise. In particular, configuration files and other directories and files on the server being modified must be analyzed, and problem situations identified. This requires much more expert knowledge, even more robust forms of AI such as fuzzy logic, cluster analysis, and learning from past experience. Reading the posts in which people ask for help in using LE reveals a broad range of problems that must be detected and either reported or corrected.