Letskencrypt - C implementation of certbot for FreeBSD (& portable)


#1

Be up-front about security: OpenSSL is known to have issues, you can’t trust what comes down the pipe, and your private key’s integrity is a hard requirement. Not a situation where you can be careless. letskencrypt is a client for Let’s Encrypt users, but one designed for security. No Python. No Ruby. No Bash. A straightforward, open source implementation in C that isolates each step of the sequence.

https://kristaps.bsd.lv/letskencrypt/

Versions:

letskencrypt — OpenBSD 5.9 and above
letskencrypt-portable — other systems


#2

All good 'n well, but the non-OpenBSD code still depends on LibreSSL :stuck_out_tongue_closed_eyes:

The only dependency of letskencrypt-portable is LibreSSL. The standard letskencrypt has no dependencies.

Although one might debate LibreSSL is “safer” than OpenSSL, it still could contain security flaws :wink:


#3

The point of letskencrypt is that it isolates usage of OpenSSL function calls (LibreSSL) into their own locked-down processes. So that the security flaws, inevitable in any software, have a minimal effect on one’s system. (Disclaimer: I wrote it.)

The dep on LibreSSL is for libtls, though.