New ACME Clients site

Hi,

For info, I have developed a small site dedicated to documenting the most popular ACME clients/tools:

The motivation behind this is to reduce the amount of noise in finding ACME clients for end users. It's opinionated and it does not list unmaintained, (currently) unpopular projects or very niche interest clients.

This obviously does benefit the software I develop (Certify The Web), especially since I've listed UI as the first category, but if someone has made a popular Desktop/Web management UI for ACME certs lets me know and I'll add it as well (or submit a PR). Projects must demonstrably have at least a few hundred users and be maintained. Please point out any missing ones that meet this requirement.

Sorting within categories is currently alphabetical by default. If it gets any use then I'll later add interactive sorting/filtering (the site is static generated from a JSON data source). The code is here, PRs welcome:

[Edit: amusingly I've only just noticed that Let's Encrypts own client implementations page is defined as a JSON data source nowadays. Looks like they were headed in the same direction: website/clients.json at main · letsencrypt/website · GitHub]

9 Likes

I can't say how many users it currently has (probably a lot more than I realize), but I think that CertSage currently qualifies as the ONLY other UI client (and the only one with a true (user-controlled) web interface).

4 Likes

Just some curiosities:

  • Where did the "stars" come from? (img.shields.io/github/stars/ from investigating _data in source)
  • Did you actually port Certify to Linux?
  • Where did the commit data come from? (img.shields.io/github/last-commit/ from investigating _data in source)
3 Likes

Stars/commit info is fed directly from github. If a project doesn't use github it will need to demonstrate it has an an active user base somehow.

CertSage probably doesn't qualify for this list based on popularity just yet (?) but you should add it to ACME Client Implementations - Let's Encrypt in order to build up your user base.

There are obviously hundreds of ACME clients, but not this is not an exhaustive list, it's just the popular ones. I'd consider having a tab for less popular projects (it would need a flag in the data set to indicate popular/not popular) but I'm probably not motivated to populate the data myself so would expect each project to add themselves.

Certify (the command line and service, and the new Web UI) does indeed run on Linux and Mac OS but that's actually a mistake including that just now, thanks for raising it.

3 Likes

I should add that github stars is an awful way to gauge popularity (but it's easily automated). - Certify The Web has well over 100K users. If we extrapolate that same fuzzy logic, then win-acme has ~400K users, certbot has ~2.9M users (sounds high but you never know).

4 Likes

CertSage has received more than 40 donations from unique users in more than a dozen countries. Even if the donation rate were as high as 20% (which would be phenomenal for any such project), that would easily be 200 users. Obviously, amongst say, GoDaddy users, the popularity of CertSage is disproportionately high. I could probably make an argument that there are easily more websites hosted through GoDaddy than on all MacOS machines on the planet, so determining worthiness based on popularity is rather a slippery slope.

I could also argue that there are very few ACME clients that I'd recommend to anyone lacking a related bachelor's degree, which includes a couple on your list, but I do personally feel you've hit many of the more tried-and-true ones. I realize CertSage is rather small potatoes in terms of its short history and acceptance. I hope it continues to evolve as I hope that Certify continues to do so. I enjoy the challenge we both face of serving the spectrum in a user-friendly and professional way. :slightly_smiling_face:

3 Likes

Cool, let's revisit in the future - you'll need a website or github repo for users to go to read more. Note that products do not specifically need to be open source, just demonstrably popular (I'm extrapolating a few hundred github stars to be many thousands of users). For instance https://docs.certera.io/ is interesting but it still seems relatively unknown. uacme is also interesting but I'm just not sure if it's common or not. I don't know enough about CertSage to say if it's specifically an integration for GoDaddy, so you do need a website to explain the project and how to use it etc.

Obviously within certain niches you have dominant solutions, so for example Kubernetes (cert-manager) but I'm in two minds as to whether to include many of those (it's an opinionated list after all, not a list of every client). At the moment the list is driven by fuzzy meritocracy, but it has to be otherwise it becomes like the LE list.

3 Likes

It's also a bit of a catch-22 to not include clients on such lists for lack of popularity as the purpose of such lists is to make people aware of clients thus making them more popular.

3 Likes

Yes it is, but the primary purpose of this particular list is to basically filter so the end-user doesn't have to. It could also be forked (maybe everyacmeclient.com :slight_smile:

3 Likes

It would be neat to be able to click on a feature (such as OS) and filter by that.

Also, not sure where commercial: true from the JSON is being used for, but acme.sh would also deserve that tag methinks.

And also I think the site could really be a positive addition to the ACME world if it would list benefits and downsides of clients. Now it's just "filter" based on popularity and recent commit. Or rather it's primarily an advertisement for CertifyTheWeb (even if the site has a disclaimer).

6 Likes

Thanks, yes I'm aware of the current bias towards Certify in the list and I've no doubt it's a result of my own bias/self-interest, I think it'll get knocked off the top of the list alphabetically eventually, or we could simply randomize the top level category order.

I did debate with some inclusions such as getssl which I really don't know much about (but it has plenty of github stars).

The commercial:true thing will possibly (?) be dropped but certify is free/paid so I wanted to reflect that somehow and I also strongly want to show if something has commercial support (i.e. you pay and can expect/demand a support response) - as far as I know only Certify meets that criteria currently. Whether or not a company is behind something is slightly different to whether or not you can expect support (that's tricky as well, you can expect support for Certbot but you can't demand it).

I definitely want to add filtering, which may just be you click on the tag and it takes you to the list of clients that match the tag, or it may be interactive. Regarding pros vs cons, I'm not sure what to do there but perhaps flags for specific feature support (could be quite hard to gather that info for each client though), don't know if it should extend to an opinion on what's good/bad (it's opinionated already but maybe that's a step too far).

I guess where I want it to go is if someone who'd never touched certificates needed to get a cert for their (probably self-managed) web server, which shortlist of options should be presented to them. I'm aware it's unfair on smaller/less-established projects but if a project crops up tomorrow with comprehensive docs, a clear maintenance strategy etc and an all round high quality product I'd still wait a while before adding them to this list.

3 Likes

A feature matrix would be cool indeed!

4 Likes

I like the idea of a short blurb for every client, imparting the knowledge that can otherwise only really be found on these forums or by asking people directly. At least, it's what I feel would help users most immediately. Doing this fairly and without any hurt feelings is a bit of a problem, though.

5 Likes

Yes, likely to be tricky and I wouldn't necessarily know what say for each one but I guess if I take acme.sh as an example, something like

Pros:

  • minimal dependencies on unix-like operating systems
  • does not require root access

Cons:

  • no dedicated community for general help (github issues only)

Or it could just be a paragraph (there's already a description field).

Things like whether something does/doesn't support webserver auto-config is maybe a feature flag - perhaps all the positive/negative things could be capture by presence or absence of a particular feature flag though. I agree it helps if someone just spells out what's good and bad from the user perspective rather than scanning through a lot of info.

3 Likes

An usability remark: using just bold for links is not cool.

I only realized something was a link because of the preceding "jump to" text. (On mobile, so no cursor)

5 Likes

Thanks, noted. It's the first time I've used Tailwind (it came with the 11ty template) and it resets all the default styles (even heading sizes etc).

[Edit: fixed now ]

4 Likes

That data exists, acme clients send user agent headers. It's probably not available to the public.

5 Likes

Yes that would be excellent info. Since it's an aggregated count we need it's basically anonymous if there's more than 1 user!

4 Likes

Further to this I have updated the site with some tentative pos and cons on some of the clients (such as https://acmeclients.com/clients/acme.sh ), plus a list of current public ACME CAs. Certify The Web has been de-emphasized in the homepage layout and "category" is clickable to see a filtered list. Next phase I'll look at adding up and coming clients.

2 Likes

Apache httpd also has built-in ACME support via mod_md. Might be useful to add for people who run that server.

Disclosure: I am the author.

2 Likes