Trouble using Let's Encrypt on OS X

I have the latest letsencrypt FYI, and brew is updated.

I did pip install letsencrypt and got Failed building wheel for cffi

Also this:
c/_cffi_backend.c:13:10: fatal error: ‘ffi.h’ file not found
#include <ffi.h>
1 error generated.
error: command ‘clang’ failed with exit status 1

UPDATE: When I install libffi I get a program running for the first time.

I believe you may have had an outdated version of Xcode, but I’m glad you have it working!

No, my Xcode is completely up to date. I’m using Yosemite tho, so maybe that’s a factor.
At any rate, now I can’t proceed because I can’t run commands on the shared server.

I will not feed the trolls. I will not feed the trolls. I will not feed the trolls. I will not feed the trolls.

You’re the one who got all trolly.

1 Like

Big picture time. The goal of the Let’s Encrypt project is to get as much of the web running on https as possible. To do that, they developed/are developing a protocol and client to automate issuing, installing, and renewing certificates.

Automatic issuance, installation, and renewal necessarily implies client software running with the appropriate permissions to do this. If you host your own site on your own Unix-y server, and you trust one of the client implementations, this isn’t too difficult. The client may be a bit tricky to get running, depending on software dependencies (and if the dependencies for the official client are undesirable, there are lots of alternate clients around; see List of Client Implementations), but once you have it running, it’s child’s play to set up a cron job to renew your cert every couple of months. Get that set up, and you never need to worry about your cert expiring.

If you don’t have full control over your web host, things get trickier. In that case, the best (i.e., easiest) solution is to use a web host who directly supports Let’s Encrypt (several are listed at Web Hosting who support Lets Encrypt). With a host who supports LE, getting a cert can be a matter of simply checking a box.

If you don’t have full control over your web server, your web host doesn’t support LE, and you can’t convince them to support LE, honestly, your best bet is probably to get your cert somewhere else. The work to get the cert manually isn’t especially onerous, but you’ll need to repeat it at least every 90 days, rather than every year (or even 2 or 3 years) with other CAs. But if you still want to use LE, the client works in manual mode, or you can use to get your cert without having to install anything on anything.

You say it’s impractical, and that may be true for your use case. It certainly isn’t point-and-click simple at this point with the official client (though it is with the right web hosting services). For many others already, it’s quite practical already.

1 Like

That’s a nice speech, it sounds authoritative, but it is funneling me in the direction of
Why should I trust DANIEL ROESLER of Oakland California who has registered
What if this person is employed by, or as a sock puppet for, the enemies of privacy?

1 Like

Please do some research before you accuse people of being sock puppets or “enemies of privacy”. The source code of the site is freely available at Feel free to review the code and use a local version.

Additionally, the only thing the site sees is your CSR, which does not include your private key (you should never give that to a third-party - the site does mention that too). There are no privacy or security implications here.

It’s not in the least authoritative, and you shouldn’t consider it such. It’s merely my observations of the current status and stated intentions of the project, along with my own experience. But to your question, you don’t have to trust gethttpsforfree (or, which appears to be a somewhat prettier version of the same basic thing), as you aren’t giving them anything sensitive. It could be run by the NSA (or KGB, or whoever you prefer to consider the arch-villain of privacy) itself, and it still wouldn’t compromise your privacy or security in any way. And as @pfg notes, you can just download the page source and run it locally if you prefer.

The CSR does contain your domain name, which some people around here are reluctant to share for some reason. If this bothers you, keep in mind that letsencrypt will publish your certificate anyway, as a matter of certificate transparency

Hi @Flar,

Yep, as you’ve pointed out, it’s not yet as easy to use Let’s Encrypt as we would like it to be. In your example, your hosting provider Gandi already offers an easy-to-use service to purchase and install certificates. Our hope is that such hosting providers will integrate with our API, allowing them to set up certificates for their customers without charging extra. That will be one way to provide super-easy installation.

The official Let’s Encrypt client isn’t yet fully supported on OS X. We should definitely improve the documentation on that front, so I’ve filed a ticket: Pull requests improving OS X support are welcome!

Also, a gentle reminder to all in this thread: please be kind to your fellow forum members. As our Community Guidelines say, “be agreeable, even when you disagree.”

1 Like

It is not an accusation, it’s a rational questioning of the practice of blindly trusting websites, which is inherently foolish.

You don’t have to blindly trusting anything, and no one is suggesting you should. The site literally has a link to its source code on it. If you’re worried about it, review the code. Ultimately, that’s the only way you can be 100% certain. If you’re worried about the commands the site suggests you run, do some research on them or read man pages.

I think I’m being pretty kind, in so far as I’m bringing rationality to the discussion and trying to solve problems.

I don’t see you chastising peelman, who first accused me of wasting his time because I dared to ask questions after I was the victim of having had my time wasted because no one documented the need for libffi until I mentioned it.

I can see why someone else started a thread called “getting bad vibes”. You are giving them now.

pfg, just because there’s a link to source code, that does not mean that is the source code that is installed on the server.
Question your assumptions please.

This is why I suggested running a local version, if you’re worried about that. Please re-read my initial reply.

OK, I’ll check out that option. Thanks pfg.

In addition to @pfg’s point (that you can examine the source yourself, and even run it locally if you prefer) is this one, which both he and I have previously raised: there’s no need to trust the site, because you don’t give it anything sensitive. The information you give (the account public key and the CSR) is public information, and would be publicly released whether or not you used that site. They cannot derive private information (i.e., the account or the site private key) from it. They cannot harm you with it. The worst they can do is mess up the certificate-issuing process so your cert doesn’t work. An inconvenience to be sure, but it does not place any data at risk.

That thread (Getting Bad Vibes) is a masterpiece of vagueness, hand-waving, and innuendo, posted by someone who apparently can't distinguish disagreement from dismissal. The only concrete criticism offered in that thread (and that not by the OP) is that the official client only runs on Unix-y operating systems.

You did not "ask questions" in your OP. You complained that LE was "impractical" and "overly demanding" because it isn't as convenient for your use case as some commercial CAs. That is a waste of time. While your subjective intent may have been to solve a problem, that certainly wasn't apparent from your post.

1 Like

Outstanding patience shown by a couple of members here. I would have lost my cool long before now.

1 Like

Dealing with low-knowledge/non-tech help vampires is one of the reasons why we can’t have nice things (longer duration certs and supporting all forms of obscure use cases). Some people are just looking to cheap on their paid services and place all their support burden (reasonable or not) onto a free community.

1 Like