Manual mode via letsencrypt website

Would it be possible to implement this workflow for DNS-challenge manual mode on letsencrypt website (LE below) :

Website for which a SSL certificate is requested : W below

Generated certificate for W : C below

All these steps are performed by a website admin visitor (WA below) to LE using HTTPS protocol:

  1. (first time only) WA registers at LE

  2. WA logs in to LE

  3. WA navigates via menu to "Obtain certificate via manual DNS challenge"

  4. WA enters configurable certificate details (domain name, exact | wildcard etc)

  5. WA clicks on "Request DNS verification detail" button

  6. LE displays DNS verification detail to WA when WA logs in to LE

  7. WA adds DNS verification detail entry to W DNS records, provided at step 6

  8. C generated by LE becomes available for download from LE website

  9. WA downloads C from LE

  10. WA installs C manually

This process is somewhat similar to process followed by some SSL issuers (in this case, with addition of DNS challenge).

For increased security, once generated, the certificate C may be available for download only once.

Any thoughts ?

Let's Encrypt encourages automation and does not recommend any kind of manual certificate aquisition flows.

There are many web based flows out there, often with poor security (in particular private key handling). Their existence doesn't mean that Let's Encrypt should promote them, or even offer the same mediocre service.

This does not increase security in any way.


You mean "the remote server generates the private key and creates a CSR"

That's not going to happen. Let's Encrypt isn't going to endorse anything where your private key leaves your system or is generated outside of it.

You send your certificate out with each tls request.


While this is often asked, this is not going to happen due to the arguments mentioned by Max above. It's simply not a method (manual) Let's Encrypt endorses. Rather the opposite. They'll even go that far that they've removed web-based ACME clients from the ACME client overview page.

And they're publicly visible in Certificate Transparancy logs.


There have been a handful of web based clients in the past.

ISRG / LetsEncrypt officially recommends against Web Based Clients due to concerns over Security and User Experience - most notably the likelihood of missed renewals. Web Based Clients have been actively removed from the LetsEncrypt website. LetsEncrypt actively recommends against third party Web Based Clients, and their comments on the matter apply almost equally to a potential first party Web Based Client.

It's not going to happen.



I'd like to make a clear distinction for a client installed on the server intended to serve or distribute certificates that uses a webpage as an interface, which is what my CertSage client does.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.