The most popular ACME client

So most users. It's certbot.

3 Likes

You sure? Most certificates are probably issued by large integrators (shared hosting and such) and I do hope they aren't using Certbot for that.

In other words: do you have a source for your claim? Or do you perhaps have a certain and specific group in mind for "Certbot", e.g., the users on this Community?

I'd like to ask @xiaohuilam the reason of this question and specifically the target audience: including or excluding large integrators? Accounts or users? Which does not have to be the same. And what's the goal of your question? Just curious?

Asking here on this Community in a "poll" manner would also be not very representitive for every ACME user out there, as there probably is a bias on this Community towards non-Certbot client use I believe.

4 Likes

Yes, that's why I asked if they meant most users or most FQDNs.

Where "user" is defined as the terms of services do: "subscriber" is who holds the private key.

LE published some data in the past, I don't know if there is a fresh publication on this.

3 Likes

Not sure how fair it is to count a single super large integrator as a single subscriber/user :wink:

4 Likes

It's not about fairness, it's a matter of definitions.

Reason why I gave both answers :smiley:

3 Likes

I found some ancient stats from back in 2016:

Back then, LE was significantly smaller than today, I think especially with regard to large integrators. So not sure how much we should trust those graphs to be applicable today.

Maybe @pde can dust of those scripts again, 6 years later, to generate fresh stats? :smiley:

6 Likes

I remember seeing another, maybe fresher, report where the biggest integrators were named, they should be stuff like cloudflare, Shopify, Squarespace, maybe wordpress.com?

3 Likes

Why was this "question" placed in the "praise" category?
[where is the praise?]

5 Likes

But to answer the question:

I choose to use certbot and acme.sh.

5 Likes

CertSage all the way, baby!

:grin:

6 Likes

During the v1 final rampdown, @jple called a zoom meeting that many of us attended where client usage statistics were presented as percentages. I remember @schoen and @petercooperjr being there too.

7 Likes

Please recall those percentages to the best of your knowledge @griffin :rofl:

5 Likes

Uh... :woozy_face:

Can't.

5 Likes

Well, ain't that a pity.

4 Likes

There was a spreadsheet that was shared amongst those of us working on helping get people off of ACMEv1, and I did find it in my Google Drive history (as I don't use Google for much it was actually pretty easy for me to find), but it only has statistics of ACME user agents as a percentage of all ACMEv1 traffic, so I don't think it would help for the general case of understanding client usage on the current protocol.

6 Likes

I remember that the cPanel client was also huge.

5 Likes

(While I am an employee of Let's Encrypt, this post is my own opinion and should not be taken as any kind of official statement about what clients are best.)

The best ACME clients are the ones integrated into products you already use. Traefik or Caddy are very popular examples of software that includes ACME support so no extra clients are needed.

I personally use the GitHub - go-acme/lego: Let's Encrypt/ACME client and library written in Go client frequently, as the Golang ecosystem is one I'm set up to use. Especially if I need to modify a client (eg, to test something about the Let's Encrypt API). Certbot is also good in this category, though python packaging means it can sometimes be a bit trickier to copy somewhere than a single Go binary for the lego CLI.

GitHub - dehydrated-io/dehydrated: letsencrypt/acme client implemented as a shell-script – just add water and GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol are both convenient as they're shell scripts without many dependencies, which makes them easy to use on Linux computers without needing to install much else -- That's what I use on my OpenWRT router for example.

And if you're on Windows, there's clients that work best on those platforms (but I don't have any certs on windows right now so don't have many opinions here).

The biggest clients by any measure tend to be the ones used by large integrators so that's not an entirely helpful metric.

7 Likes

Certbot and acme.sh are the most popular dedicated linux clients (.e.g. software you would install separately just to manage ACME certificates). The most popular clients on Windows are win-acme, Certify The Web and Posh-ACME.

What's best for you will depend largely on your requirements but for instance a user running linux for fun who wants to use Apache or nginx would probably use either Certbot or acme.sh, but if interested in modern web servers when they'd quite possibly choose Caddy instead. Users who are trying to configure kubernetes would probably use cert-manager.

Organisations which are running custom hosting solutions will either integrate a popular library or just build their own ACME client (some orgs prefer not to have external software dependencies).

There was an old PDF somewhere with more detailed user-agent statistics but I can't find it.

7 Likes

If only we knew people is low places...

4 Likes

You mean this one? https://www.abetterinternet.org/documents/letsencryptCCS2019.pdf

According to it, these were the 10 most popular Acme clients between Dec 2018 and Jan 2019:

  • cPanel
  • Certbot
  • Squarespace
  • acme4j
  • Net-ACME2
  • curl
  • Acme::Client
  • Plesk
  • xenolf-acme
  • Go-http-client

I would be curious to see more current numbers.

10 Likes