eva2000
November 2, 2015, 10:06pm
12
I actually outlined webroot authentication at Letsencrypt Webroot Authentication Tested on Beta invited/whitelisted domain
What is Letsencrypt Webroot Authentication ?
Authenticator plugin that performs SimpleHTTP challenge by saving necessary validation resources to appropriate paths on the file system. It expects that there is some other HTTP server configured to serve all files under specified web root
It was born out of the awesome work Kuba did with creating the simplefs plugin which was later renamed to webroot authentication. In laymen terms, webroot authentication is an alternate way to obtain letsencrypt ssl certificates and pass the SimpleHTTP challenge by following these steps
create a HTTPS base site before hand using self signed ssl certificate on apache or nginx - this site will have a public web root. This site domain also needs valid working DNS pointing to the server IP
run letsencrypt webroot authentication method and pass your email address AND that site's public web root path to the command you run - this will perform automatically the the .well-known uri creation on the defined web root validating the domain you want the ssl certificate for
As to why use webroot, I mentioned my thoughts here Preventing Letsencrypt 3rd party clients going the Android way? - #3 by kelunik
actually i agree with such separation and having the webroot plugin take more center stage as it would be alot easier for different web servers/control panels to do what they do and know best web server/control panel wise in automating a https vhost first and just feeding that vhost's web root via webroot authentication
1st, it would give web servers/control panel users absolute trust in that their own implementation of server side configuration isn't touched by letsencrypt client itself. I know this would be a concern for some
2nd, it would give letsencrypt folks full control over the issuance side via webroot authentication so that any 3rd party clients don't fall behind on updates.
3rd, lessens burden on letsencrypt folks to cater and know about every web server type/os configuration out there - of course if you focus on the following you'd have alot covered - debian/ubuntu/rhel/centos apache and nginx + directadmin, plesk, cpanel.
unfortunately webroot authentication does require SSH access to run so not suited for shared hosting
My vision for webroot authentication is to make it easier for control panels, or folks who know their web server/OS environments best to pre-create their https vhost configurations prior to running webroot authentication.
1 Like