The most seen ACME client

9peppe · April 24, 2022, 8:13am

So most users. It's certbot.

Osiris · April 24, 2022, 8:40am

You sure? Most certificates are probably issued by large integrators (shared hosting and such) and I do hope they aren't using Certbot for that.

In other words: do you have a source for your claim? Or do you perhaps have a certain and specific group in mind for "Certbot", e.g., the users on this Community?

I'd like to ask @xiaohuilam the reason of this question and specifically the target audience: including or excluding large integrators? Accounts or users? Which does not have to be the same. And what's the goal of your question? Just curious?

Asking here on this Community in a "poll" manner would also be not very representitive for every ACME user out there, as there probably is a bias on this Community towards non-Certbot client use I believe.

9peppe · April 24, 2022, 8:50am

Yes, that's why I asked if they meant most users or most FQDNs.

Where "user" is defined as the terms of services do: "subscriber" is who holds the private key.

LE published some data in the past, I don't know if there is a fresh publication on this.

Osiris · April 24, 2022, 8:55am

Not sure how fair it is to count a single super large integrator as a single subscriber/user

9peppe · April 24, 2022, 9:07am

It's not about fairness, it's a matter of definitions.

Reason why I gave both answers

Osiris · April 24, 2022, 9:08am

I found some ancient stats from back in 2016:

Back then, LE was significantly smaller than today, I think especially with regard to large integrators. So not sure how much we should trust those graphs to be applicable today.

Maybe @pde can dust of those scripts again, 6 years later, to generate fresh stats?

9peppe · April 24, 2022, 9:13am

I remember seeing another, maybe fresher, report where the biggest integrators were named, they should be stuff like cloudflare, Shopify, Squarespace, maybe wordpress.com?

rg305 · April 24, 2022, 6:11pm

Why was this "question" placed in the "praise" category?
[where is the praise?]

rg305 · April 24, 2022, 6:12pm

But to answer the question:

I choose to use certbot and acme.sh.

griffin · April 24, 2022, 8:46pm

CertSage all the way, baby!

griffin · April 24, 2022, 8:49pm

During the v1 final rampdown, @jple called a zoom meeting that many of us attended where client usage statistics were presented as percentages. I remember @schoen and @petercooperjr being there too.

Osiris · April 24, 2022, 8:51pm

Please recall those percentages to the best of your knowledge @griffin

griffin · April 24, 2022, 8:51pm

Uh...

Can't.

Osiris · April 24, 2022, 8:52pm

Well, ain't that a pity.

petercooperjr · April 24, 2022, 10:01pm

There was a spreadsheet that was shared amongst those of us working on helping get people off of ACMEv1, and I did find it in my Google Drive history (as I don't use Google for much it was actually pretty easy for me to find), but it only has statistics of ACME user agents as a percentage of all ACMEv1 traffic, so I don't think it would help for the general case of understanding client usage on the current protocol.

schoen · April 25, 2022, 1:27am

I remember that the cPanel client was also huge.

mcpherrinm · April 25, 2022, 6:38pm

(While I am an employee of Let's Encrypt, this post is my own opinion and should not be taken as any kind of official statement about what clients are best.)

The best ACME clients are the ones integrated into products you already use. Traefik or Caddy are very popular examples of software that includes ACME support so no extra clients are needed.

I personally use the GitHub - go-acme/lego: Let's Encrypt/ACME client and library written in Go client frequently, as the Golang ecosystem is one I'm set up to use. Especially if I need to modify a client (eg, to test something about the Let's Encrypt API). Certbot is also good in this category, though python packaging means it can sometimes be a bit trickier to copy somewhere than a single Go binary for the lego CLI.

GitHub - dehydrated-io/dehydrated: letsencrypt/acme client implemented as a shell-script – just add water and GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol are both convenient as they're shell scripts without many dependencies, which makes them easy to use on Linux computers without needing to install much else -- That's what I use on my OpenWRT router for example.

And if you're on Windows, there's clients that work best on those platforms (but I don't have any certs on windows right now so don't have many opinions here).

The biggest clients by any measure tend to be the ones used by large integrators so that's not an entirely helpful metric.

webprofusion · April 26, 2022, 3:47am

Certbot and acme.sh are the most popular dedicated linux clients (.e.g. software you would install separately just to manage ACME certificates). The most popular clients on Windows are win-acme, Certify The Web and Posh-ACME.

What's best for you will depend largely on your requirements but for instance a user running linux for fun who wants to use Apache or nginx would probably use either Certbot or acme.sh, but if interested in modern web servers when they'd quite possibly choose Caddy instead. Users who are trying to configure kubernetes would probably use cert-manager.

Organisations which are running custom hosting solutions will either integrate a popular library or just build their own ACME client (some orgs prefer not to have external software dependencies).

There was an old PDF somewhere with more detailed user-agent statistics but I can't find it.

rg305 · April 26, 2022, 3:48am

If only we knew people in low places...

shred · April 29, 2022, 1:23pm

You mean this one? https://www.abetterinternet.org/documents/letsencryptCCS2019.pdf

According to it, these were the 10 most popular Acme clients between Dec 2018 and Jan 2019:

cPanel
Certbot
Squarespace
acme4j
Net-ACME2
curl
Acme::Client
Plesk
xenolf-acme
Go-http-client

I would be curious to see more current numbers.