Trouble using Let's Encrypt on OS X


#1

When I buy a certificate from my hosting service (Gandi), the process is only a few steps and it does not require root access to anything (which I don’t have anyway as far as I know) and it doesn’t require running unverified binaries of unknown origin on my Mac from Macports.

When I got a free 90-day certificate from Comodo, the process was just as facile as when I bought one from Gandi and they are not even my hosting provider.

I don’t want to pay money for a certificate, because it’s rather expensive, but it seems that at this stage the Let’s Encrypt service is overly demanding of someone like myself who has limited access, limited time, and just a low-end hosting package.

When will Let’s Encrypt provide a service that is as easy to use as Gandi’s or Comodo’s?


#2

Ultimately, yes.

It’s still ‘Beta’ though, so still involves a little work for people who want to use it at the current time.


#3

Unfortunately there isn’t any real free lunch here

You either pay in:

  1. money (commercial ssl certificate) or
  2. time/expertise (letsencrypt and knowing how to use their official client) or
  3. time/expertise (letsencrypt and knowing how to use various other alternative clients listed at List of Client Implementations some of which do not require root access)

#4

Not to mention 4 to 6 times a year with a publicly stated intention to even increase that.


#5

Open beta implies bugs and issues that still need to be overcome. You have many options and I’ll list them:

  • I keep an active list of hosting who support lets encrypt on shared hosting if you wanted to change host providers.
  • Follow the guide using a linux livecd like linux mint and create your certs (in virtualbox) and doing this 4 times a year is extremely easy: Tutorial for OS X local certificates and Shared Hosting
  • Bug your hosting to add support via social networking or their feedback email, they probably dont know about it.

And above all, vote this up: https://features.cpanel.net/topic/provide-support-for-lets-encrypt-automated-certificate-management-ssl

Sooner a legit cpanel addon is made, faster it gets implemented.


#6

Just a note. I’d love to use virtualbox however I have found no way on OSX yosemite to get files out of virtualbox other than ftp. It refuses to mount any USB drive.


#7

Considering that the program letsencrypt-auto does not even run on OS X Yosemite, I don’t know what you think I’m supposed to do. What good would a script do? I have Xcode installed, and I installed a homebrew as well, but letsencrypt-auto prints… (after I installed the latest setuptools)…

Updating letsencrypt and virtual environment dependencies… Failed building wheel for cffi

Command "/Users/me/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;file=… failed with error code 1 in /private/tmp/pip-build-AE1HoL/cffi


#8

You realize that nobody is forcing you to use LetsEncrypt? If you’re happy with it, then use it. If you’re happy paying money for “easy” services, then continue doing so. Once things actually get off the ground with the project, and adoption becomes more widespread, revisit the project. Until then, there’s really no point wasting everybody’s time on threads debating the ‘impracticality’ when what you really mean is ‘this isn’t as convenient as i want it to be’.


#9

There is an issue if you have old files, I made a bug report already: https://github.com/letsencrypt/letsencrypt/issues/1888

Don’t use brew, use pypi aka pip install letsencrypt or you need to update your brew brew update

You could try sharing file via network, aka shared folder since samba should work fine. Or you could use vmware player and try it on it.

If you really wanted to pursue it, then boot from Linux Mint using rEFInd and do everything there, plug in usb drive and be done with it.

@peelman I also agree.


Errors on OS/X most worrisome
#10

peelman:
Aren’t you an engineer? Maybe you are a sysadmin who doesn’t like problem solving.


#11

I have the latest letsencrypt FYI, and brew is updated.

I did pip install letsencrypt and got Failed building wheel for cffi

Also this:
c/_cffi_backend.c:13:10: fatal error: ‘ffi.h’ file not found
#include <ffi.h>
^
1 error generated.
error: command ‘clang’ failed with exit status 1

UPDATE: When I install libffi I get a program running for the first time.


#12

I believe you may have had an outdated version of Xcode, but I’m glad you have it working!


#13

No, my Xcode is completely up to date. I’m using Yosemite tho, so maybe that’s a factor.
At any rate, now I can’t proceed because I can’t run commands on the shared server.


#14

I will not feed the trolls. I will not feed the trolls. I will not feed the trolls. I will not feed the trolls.


#15

You’re the one who got all trolly.


#16

Big picture time. The goal of the Let’s Encrypt project is to get as much of the web running on https as possible. To do that, they developed/are developing a protocol and client to automate issuing, installing, and renewing certificates.

Automatic issuance, installation, and renewal necessarily implies client software running with the appropriate permissions to do this. If you host your own site on your own Unix-y server, and you trust one of the client implementations, this isn’t too difficult. The client may be a bit tricky to get running, depending on software dependencies (and if the dependencies for the official client are undesirable, there are lots of alternate clients around; see List of Client Implementations), but once you have it running, it’s child’s play to set up a cron job to renew your cert every couple of months. Get that set up, and you never need to worry about your cert expiring.

If you don’t have full control over your web host, things get trickier. In that case, the best (i.e., easiest) solution is to use a web host who directly supports Let’s Encrypt (several are listed at Web Hosting who support Lets Encrypt). With a host who supports LE, getting a cert can be a matter of simply checking a box.

If you don’t have full control over your web server, your web host doesn’t support LE, and you can’t convince them to support LE, honestly, your best bet is probably to get your cert somewhere else. The work to get the cert manually isn’t especially onerous, but you’ll need to repeat it at least every 90 days, rather than every year (or even 2 or 3 years) with other CAs. But if you still want to use LE, the client works in manual mode, or you can use https://gethttpsforfree.com to get your cert without having to install anything on anything.

You say it’s impractical, and that may be true for your use case. It certainly isn’t point-and-click simple at this point with the official client (though it is with the right web hosting services). For many others already, it’s quite practical already.


#17

That’s a nice speech, it sounds authoritative, but it is funneling me in the direction of gethttpsforfree.com.
Why should I trust DANIEL ROESLER of Oakland California who has registered gethttpsforfree.com?
What if this person is employed by, or as a sock puppet for, the enemies of privacy?


#18

Please do some research before you accuse people of being sock puppets or “enemies of privacy”. The source code of the site is freely available at https://github.com/diafygi/gethttpsforfree. Feel free to review the code and use a local version.

Additionally, the only thing the site sees is your CSR, which does not include your private key (you should never give that to a third-party - the site does mention that too). There are no privacy or security implications here.


#19

It’s not in the least authoritative, and you shouldn’t consider it such. It’s merely my observations of the current status and stated intentions of the project, along with my own experience. But to your question, you don’t have to trust gethttpsforfree (or https://letsgetssl.net/, which appears to be a somewhat prettier version of the same basic thing), as you aren’t giving them anything sensitive. It could be run by the NSA (or KGB, or whoever you prefer to consider the arch-villain of privacy) itself, and it still wouldn’t compromise your privacy or security in any way. And as @pfg notes, you can just download the page source and run it locally if you prefer.

The CSR does contain your domain name, which some people around here are reluctant to share for some reason. If this bothers you, keep in mind that letsencrypt will publish your certificate anyway, as a matter of certificate transparency


#20

Hi @Flar,

Yep, as you’ve pointed out, it’s not yet as easy to use Let’s Encrypt as we would like it to be. In your example, your hosting provider Gandi already offers an easy-to-use service to purchase and install certificates. Our hope is that such hosting providers will integrate with our API, allowing them to set up certificates for their customers without charging extra. That will be one way to provide super-easy installation.

The official Let’s Encrypt client isn’t yet fully supported on OS X. We should definitely improve the documentation on that front, so I’ve filed a ticket: https://github.com/letsencrypt/letsencrypt/issues/1975. Pull requests improving OS X support are welcome!

Also, a gentle reminder to all in this thread: please be kind to your fellow forum members. As our Community Guidelines say, “be agreeable, even when you disagree.”