Trouble using Let's Encrypt on OS X


#16

Big picture time. The goal of the Let’s Encrypt project is to get as much of the web running on https as possible. To do that, they developed/are developing a protocol and client to automate issuing, installing, and renewing certificates.

Automatic issuance, installation, and renewal necessarily implies client software running with the appropriate permissions to do this. If you host your own site on your own Unix-y server, and you trust one of the client implementations, this isn’t too difficult. The client may be a bit tricky to get running, depending on software dependencies (and if the dependencies for the official client are undesirable, there are lots of alternate clients around; see List of Client Implementations), but once you have it running, it’s child’s play to set up a cron job to renew your cert every couple of months. Get that set up, and you never need to worry about your cert expiring.

If you don’t have full control over your web host, things get trickier. In that case, the best (i.e., easiest) solution is to use a web host who directly supports Let’s Encrypt (several are listed at Web Hosting who support Lets Encrypt). With a host who supports LE, getting a cert can be a matter of simply checking a box.

If you don’t have full control over your web server, your web host doesn’t support LE, and you can’t convince them to support LE, honestly, your best bet is probably to get your cert somewhere else. The work to get the cert manually isn’t especially onerous, but you’ll need to repeat it at least every 90 days, rather than every year (or even 2 or 3 years) with other CAs. But if you still want to use LE, the client works in manual mode, or you can use https://gethttpsforfree.com to get your cert without having to install anything on anything.

You say it’s impractical, and that may be true for your use case. It certainly isn’t point-and-click simple at this point with the official client (though it is with the right web hosting services). For many others already, it’s quite practical already.


#17

That’s a nice speech, it sounds authoritative, but it is funneling me in the direction of gethttpsforfree.com.
Why should I trust DANIEL ROESLER of Oakland California who has registered gethttpsforfree.com?
What if this person is employed by, or as a sock puppet for, the enemies of privacy?


#18

Please do some research before you accuse people of being sock puppets or “enemies of privacy”. The source code of the site is freely available at https://github.com/diafygi/gethttpsforfree. Feel free to review the code and use a local version.

Additionally, the only thing the site sees is your CSR, which does not include your private key (you should never give that to a third-party - the site does mention that too). There are no privacy or security implications here.


#19

It’s not in the least authoritative, and you shouldn’t consider it such. It’s merely my observations of the current status and stated intentions of the project, along with my own experience. But to your question, you don’t have to trust gethttpsforfree (or https://letsgetssl.net/, which appears to be a somewhat prettier version of the same basic thing), as you aren’t giving them anything sensitive. It could be run by the NSA (or KGB, or whoever you prefer to consider the arch-villain of privacy) itself, and it still wouldn’t compromise your privacy or security in any way. And as @pfg notes, you can just download the page source and run it locally if you prefer.

The CSR does contain your domain name, which some people around here are reluctant to share for some reason. If this bothers you, keep in mind that letsencrypt will publish your certificate anyway, as a matter of certificate transparency


#20

Hi @Flar,

Yep, as you’ve pointed out, it’s not yet as easy to use Let’s Encrypt as we would like it to be. In your example, your hosting provider Gandi already offers an easy-to-use service to purchase and install certificates. Our hope is that such hosting providers will integrate with our API, allowing them to set up certificates for their customers without charging extra. That will be one way to provide super-easy installation.

The official Let’s Encrypt client isn’t yet fully supported on OS X. We should definitely improve the documentation on that front, so I’ve filed a ticket: https://github.com/letsencrypt/letsencrypt/issues/1975. Pull requests improving OS X support are welcome!

Also, a gentle reminder to all in this thread: please be kind to your fellow forum members. As our Community Guidelines say, “be agreeable, even when you disagree.”


#21

It is not an accusation, it’s a rational questioning of the practice of blindly trusting websites, which is inherently foolish.


#22

You don’t have to blindly trusting anything, and no one is suggesting you should. The site literally has a link to its source code on it. If you’re worried about it, review the code. Ultimately, that’s the only way you can be 100% certain. If you’re worried about the commands the site suggests you run, do some research on them or read man pages.


#23

@jsha
I think I’m being pretty kind, in so far as I’m bringing rationality to the discussion and trying to solve problems.

I don’t see you chastising peelman, who first accused me of wasting his time because I dared to ask questions after I was the victim of having had my time wasted because no one documented the need for libffi until I mentioned it.

I can see why someone else started a thread called “getting bad vibes”. You are giving them now.


#24

pfg, just because there’s a link to source code, that does not mean that is the source code that is installed on the server.
Question your assumptions please.


#25

This is why I suggested running a local version, if you’re worried about that. Please re-read my initial reply.


#26

OK, I’ll check out that option. Thanks pfg.


#27

In addition to @pfg’s point (that you can examine the source yourself, and even run it locally if you prefer) is this one, which both he and I have previously raised: there’s no need to trust the site, because you don’t give it anything sensitive. The information you give (the account public key and the CSR) is public information, and would be publicly released whether or not you used that site. They cannot derive private information (i.e., the account or the site private key) from it. They cannot harm you with it. The worst they can do is mess up the certificate-issuing process so your cert doesn’t work. An inconvenience to be sure, but it does not place any data at risk.


#28

That thread (Getting Bad Vibes) is a masterpiece of vagueness, hand-waving, and innuendo, posted by someone who apparently can’t distinguish disagreement from dismissal. The only concrete criticism offered in that thread (and that not by the OP) is that the official client only runs on Unix-y operating systems.

You did not “ask questions” in your OP. You complained that LE was “impractical” and “overly demanding” because it isn’t as convenient for your use case as some commercial CAs. That is a waste of time. While your subjective intent may have been to solve a problem, that certainly wasn’t apparent from your post.


#30

Outstanding patience shown by a couple of members here. I would have lost my cool long before now.


#32

Dealing with low-knowledge/non-tech help vampires is one of the reasons why we can’t have nice things (longer duration certs and supporting all forms of obscure use cases). Some people are just looking to cheap on their paid services and place all their support burden (reasonable or not) onto a free community.


#34

Indeed. Even the initial texts from Flar attitude were like he is contacting someone who owes him something. Although whatever reasons there are, there is a point to express them only if they can be understood by other party. Here I do not see these reasons. Service is free, runs on donations (or so I understood), and in beta stage, so it will get better later — it is quite obvuios that one day this will be solved due to huge demand. It is also great how OP states that “he has limited time” and “I don’t want to pay money” because this is exactly how you ask community to do something for you and everyone else is with time and money :smile: . Wonder if it ever works.


#35

Yeah, I don’t understand the sense of entitlement this guy is portraying. It’s a free service, provided by altruistic, knowledgeable and hard working people for the benefit of everyone.
The various OS ports are done by hard working philanthropic volunteers and he acts as if they are contractually obliged to drop everything and focus on his specific issue and then throws his toys out of the pram when that’s not achieved.
And yet even after all this some people still try and help him.
I couldn’t do it.
You guys have the patience of a saint and I take my hat off to you.


#37

What were you expecting from software in a beta phase that specifically gave you the following warning when you attempted to use it?

WARNING: Mac support is very experimental at present…

Consider Let’s Encrypt on OS X a developer preview; If you’re not willing to invest time into solving issues or don’t have the technical capabilities to do so, wait until OS X is fully supported or try a different client.


#38

That warning was not clear earlier on, neither to me nor to multiple other people clearly.
At any rate I have tried to be helpful in giving feedback on how it is not working properly; the response however has been negative, much as as another person said: “bad vibes”. One idiot bizarrely accused me of being a troll, and others then acted a bit like cult members going after the heretic.


#39

How do you mean? The warning has been in place for a long time, or did you mean it’s not obvious enough, or not in the right place? If so, how do you think it could be improved on? Documentation is certainly not perfect yet, so understanding where those issues stem from is important.

The negativity, if you want to call it that, came up because of how you gave your feedback, not because of what you were talking about. You came in with the expectation that a free CA which just started issuing certificates and is still in a beta state would immediately be as convenient as getting a certificate from either one of the biggest domain registrars in the business (who’s probably in a position to skip a lot of verification steps due to being your registrar), or one of the biggest and oldest CAs out there. That was obviously asking for a bit too much, but people were happy to point you towards alternative options and/or clients anyway. If you want to go ahead and review this thread, you will see that there were a number of helpful replies before the first person said anything about your expectations being too high; at which point the discussion took a turn for the worse.

Unfortunately, the feeling of entitlement and not knowing the difference between providing valid feedback and demanding things are done the way one wants them to is what turns a lot of people away from starting or contributing to open source projects.