Manual mode via letsencrypt website

punter · August 2, 2023, 11:35am

Would it be possible to implement this workflow for DNS-challenge manual mode on letsencrypt website (LE below) :

Website for which a SSL certificate is requested : W below

Generated certificate for W : C below

All these steps are performed by a website admin visitor (WA below) to LE using HTTPS protocol:

(first time only) WA registers at LE
WA logs in to LE
WA navigates via menu to "Obtain certificate via manual DNS challenge"
WA enters configurable certificate details (domain name, exact | wildcard etc)
WA clicks on "Request DNS verification detail" button
LE displays DNS verification detail to WA when WA logs in to LE
WA adds DNS verification detail entry to W DNS records, provided at step 6
C generated by LE becomes available for download from LE website
WA downloads C from LE
WA installs C manually

This process is somewhat similar to process followed by some SSL issuers (in this case, with addition of DNS challenge).

For increased security, once generated, the certificate C may be available for download only once.

Any thoughts ?

Nummer378 · August 2, 2023, 12:22pm

Let's Encrypt encourages automation and does not recommend any kind of manual certificate aquisition flows.

There are many web based flows out there, often with poor security (in particular private key handling). Their existence doesn't mean that Let's Encrypt should promote them, or even offer the same mediocre service.

This does not increase security in any way.

9peppe · August 2, 2023, 12:31pm

You mean "the remote server generates the private key and creates a CSR"

That's not going to happen. Let's Encrypt isn't going to endorse anything where your private key leaves your system or is generated outside of it.

You send your certificate out with each tls request.

Osiris · August 2, 2023, 12:55pm

While this is often asked, this is not going to happen due to the arguments mentioned by Max above. It's simply not a method (manual) Let's Encrypt endorses. Rather the opposite. They'll even go that far that they've removed web-based ACME clients from the ACME client overview page.

And they're publicly visible in Certificate Transparancy logs.

jvanasco · August 2, 2023, 2:54pm

There have been a handful of web based clients in the past.

ISRG / LetsEncrypt officially recommends against Web Based Clients due to concerns over Security and User Experience - most notably the likelihood of missed renewals. Web Based Clients have been actively removed from the LetsEncrypt website. LetsEncrypt actively recommends against third party Web Based Clients, and their comments on the matter apply almost equally to a potential first party Web Based Client.

It's not going to happen.

See:

griffin · August 2, 2023, 2:58pm

I'd like to make a clear distinction for a client installed on the server intended to serve or distribute certificates that uses a webpage as an interface, which is what my CertSage client does.

system · September 1, 2023, 2:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.