Preventing Letsencrypt 3rd party clients going the Android way?


yeah multiple domains would be one thing lacking in webroot authentication right now

edit: actually probably can script multiple domain letsencrypt ssl certificates via webroot authentication

This is what my Centmin Mod Nginx stack or any scripted SSL vhost script would be able to do via nv command combined with web root authentication

for v in $vhostname; do
 nv -d ${vhostname} -s y -u MYFTPUSERNAME
 /root/.local/share/letsencrypt/bin/letsencrypt --renew-by-default -a webroot --webroot-path /home/nginx/domains/${vhostname}/public --email --text --agree-tos --agree-dev-preview -d ${vhostname} auth

would generate the nginx ssl vhost for 3 domains -, and and run webroot authentication for SSL certs


Sure, I just meant in a single certificate. Different certificates work of course.


yeah single multi-domain SSL certificate is still to come for webroot authentication :slight_smile:


what is webroot authentication?


webroot is a plugin that places a file into your webroot directory to prove ownership of the domain to LE instead of changing config files or using the standalone authenticator.


see examples of webroot authentication plugin at Using the webroot domain verification method and

official definition

Authenticator plugin that performs SimpleHTTP challenge by saving
necessary validation resources to appropriate paths on the file
system. It expects that there is some other HTTP server configured
to serve all files under specified web root

it was born out of the simplefs plugin which was later renamed to webroot authentication

laymen terms, webroot authentication is an alternate way to obtain letsencrypt ssl certificates and pass the SimpleHTTP challenge by following these steps

  1. create a HTTPS base site before hand using self signed ssl certificate on apache or nginx - this site will have a public web root. This site domain also needs valid working DNS pointing to the server IP
  2. run letsencrypt webroot authentication method and pass your email address AND that site’s public web root path to the command you run - this will perform automatically the the .well-known uri creation on the defined web root validating the domain you want the ssl certificate for


so pretty much like veryfying ownership of domain for Google Webmaster tools put a file on the domain and finish.

I didnt think that this was an LE specific term, obvious that I found nothing that makes sense on Google


Yup basically the same :slight_smile:


With Android defragmentation with every phone manufacturer having their
own Android builds, the responsiveness to updates for patches to
stagefright etc have been slower.

There are two issues to consider.

First, “early” version of Android suffered the problem. Early versions are versions prior to Ice Cream Sandwich (ICS). These devices also had the certificate store burned into ROM and part of the image, so there was no way to update it. The OEM abandoned the devices after the sale, and there’s nothing you can do about it to fix it.

Second, “later” version of Android address the problem. Ice Cream Sandwich (ICS) allows the certificate store to be updated in the field without a new image. For details (and some very good reading), see Nikolay Elenkov’s blog Android Explorations and his article ICS Credential Storage Implementation.

A final issue to consider is Apple and Windows Phone suffers this too. They abandon OS’es as quickly as some of the phone manufacturers. Its mentioned as a footnote because this discussion concerned Android.

An interesting facet of the problem on Windows Phone: OEMs are contractually obligated to apply Windows Phone updates. For a discussion, see Alan Meeus’ Windows Phone: Security Deep Dive . However, it does not address (1) what Microsoft puts in the store (or omits from the store); and (2) Microsoft abandoning the operating system.

(And sorry about not providing links. This stupid bulletin board software made me take them out).


well win phone maybe but apple? e.g. the iphone 4s came iirc up to ios 9 which is quite some way and a lot longer than most of the androids.


@schoen @kelunik @bmw @jsha @jcjones

I was checking the stats at and see last 24hrs still alot of simpleHttp verifications compared to http-01. As i understand it simpleHttp is going away and new LE client uses http-01. So this infers that alot of folks are still running outdated LE clients ?

Any planned mechanisms in place to ensure and inform LE users to update their LE clients to keep updated ?

does the LE client have it’s own version number it can report ? maybe add to LE client version stats as a reminder for folks to update too


Would be nice to have some kind of user agent logging to know which clients are used. Actually I like the simpleHttp spec currently better, but there’s always an issue for that on GitHub…


actually had a suggestion for a --client-type flag Standalone, Manual, Webroot stats?


We don’t need a flag, the client already knows which plugin is used and could report that in the user-agent header.


but a flag for tracking 3rd party client implementations which wish to pass on their identification to LE servers ?


3rd party implementations don’t use the client at all.


by the way where’s the difference between simpleHTTP and http01, both were iirc some kind of webroot werent they?


yeah but was thinking about tracking 3rd party implemented / obtained cert stats

so on stats page you can see how many ssl certificates are obtained from various 3rd party implementations as well so gives you an idea of popularity of 3rd party vs official LE client implementations


Yes, that’s what a user-agent in HTTP is actually designed for.


http-01 doesn’t allow the tls challenge property and requires http:// instead of either http:// or https:// (default is tls: true in simpleHttp).