Web-page-based client, requires manual fulfillment of ACME challenges and cautious handling of encryption keys

This webpage client is only used in scenarios where you want to manually apply for a certificate.

  • The source code of the client side of this webpage has been open sourced, and the access URL is provided by the hosting warehouse, and the source code is transparent and traceable.
  • This client is only a single static HTML web page file, without any dependencies, it can be directly saved to your local use.
  • Compared with binary programs and class libraries that are difficult to analyze, html code and network request data are easier to review and more secure and reliable.
  • Compared with command line scripts, web pages have an easy-to-use UI interface and are easier to use.
  • Except for the ACME interface address of the certificate authority you specify, this webpage client will not send data to any other address, and it is easy to check the network data through the browser console.
  • This webpage client does not depend on the operating system environment, no need to download and install software, no need to register, no need to log in.

Online use URL: https://xiangyuecn.github.io/ACME-HTML-Web-Browser-Client/ACME-HTML-Web-Browser-Client.html
GitHub: https://github.com/xiangyuecn/ACME-HTML-Web-Browser-Client

Support to apply for RSA, ECC/ECDSA certificates from certificate authorities that support the ACME protocol, such as Let's Encrypt and ZeroSSL, and support multiple domain names and wildcards.

Because it is a single HTML file, it does not depend on any other files, and does not send any non-ACME interface requests. The key pair generation and CSR generation are implemented by pure js code. The webpage is hosted on GitHub, and the webpage code is very easy to read and review, so this The client is very secure (more secure than common binaries and command line scripts).


If you don't need automatic renewal and just want to apply for a certificate, using the webpage version of the client should be the best choice.

It may be because of manual operation and the fact that automatic renewal is not supported. The ACME client list on the official website does not provide a browser version of the client. As a result, users who only want to obtain certificates and do not need automation functions must carefully use those clients that are not easy to use.

I have been applying for a certificate through the diafygi/gethttpsforfree webpage before, but the operation was too complicated, and I couldn't find a better web client from the official website, so I wrote my own code and made one, welcome to use🎉.

Certificate Expiration Risk Alert: Since this web client can only be operated manually and does not support automatic renewal, you should pay attention to apply for a new certificate before the certificate expires (free certificates are generally valid for 90 days, you only need to repeat the operation at that time), or use acme.sh and other client automatic renewal.

2 Likes

WARNING!

While I applaud the extensive amount of information presented, due to inherent difficulty of proper usage and outstanding risk, this community strongly discourages the use of any client that requires:

  • manual fulfillment of challenges
  • generation of private keys outside of their intended environment of use
6 Likes

The following claims are highly disputable.

More secure and reliable? By what standards?

Easy to check? By what standards?

Registration for an ACME account is inherent in the usage of any ACME client.

Very easy to read and review? Very secure? More secure than common binaries and command line scripts? By what standards?

The best choice? By what standards?

For very well-established reasons documented throughout this community.

Not easy to use? By what standards?

Better web client? Than the none listed there? Thousands of such "clients" exist across the internet that can easily be found via any popular search engine.

This community highly encourages renewal attempts to be initiated when 1/3 of the lifetime of a certificate remains (30 days prior to expiration).

4 Likes

Thank the community for resuming this post😃

The English content of this post is translated, and there may be differences in expression, so is the following content.


Thank you for your reminder😊, I would like to explain the controversial issues:

  • More secure and reliable? By what standards?
    Because this is a web page, and it is a single static file, there is no invisible dependency, and no invisible request is sent. Opening a web page brings less psychological pressure than opening a binary program or script. Note: I do not advocate that any web page is safe, a reliable web page client may need a reliable website to host it.

  • Easy to check? By what standards?
    Because the browser runs this client and the browser console is very powerful, binary programs or server programs or scripts must rely on other tools to check network data; Although there is no standard, it is a fact.

  • Registration for an ACME account is inherent in the usage of any ACME client.
    What I mean by registration and login is that although many websites have the function of applying for a Let's Encrypt certificate, they must register and log in to their websites.

  • Very easy to read and review? Very secure? More secure than common binaries and command line scripts? By what standards?
    Refer to "Easy to check? By what standards?". Note: I do not advocate that any web page is safe, a reliable web page client may need a reliable website to host it.

  • The best choice? By what standards?
    Although there is no standard, it is a fact: It is easy to open a web page, and it is easier to operate with a UI. These are only for scenarios where you just want to obtain a certificate.

  • For very well-established reasons documented throughout this community.
    I learned about it before, but it seems that it is still under discussion and has been shelved.

  • Not easy to use? By what standards?
    Refer to "The best choice? By what standards?". These are only for scenarios where you just want to obtain a certificate.

  • Better web client? Than the none listed there? Thousands of such "clients" exist across the internet that can easily be found via any popular search engine.
    No, I can't find it. I only found 'difygi/gethttpsforfree' in the official early ACME client list. Many others need to log in and register their websites, or the page dependency is complex, and the working principle is very unclear; There are few excellent websites.

  • This community highly encourages renewal attempts to be initiated when 1/3 of the lifetime of a certificate remains (30 days prior to expiration).
    Very good proposal~


I think I should explain security again:

  • This client is only a single static HTML file,no other dependencies, Web pages are hosted in GitHub, and there is almost no risk of hijacking and tampering.
  • The key pair generation and CSR generation are all implemented by pure js code, and will not be saved or sent to anyone.
  • The client of this webpage will not send a request to any address other than the ACME interface address.

By reading the source code and the browser console, it is easy to check these key points.

In addition, the working mode of the client is a little like the server program (such as php). HTML+CSS build the UI, and JS serve as the service program😃.

1 Like

None of those reasons make your potentially locally downloaded and run webpage with active scripting any more secure than another client. They certainly in no way make it more reliable.

The typical user of this client would likely have zero experience using a browser console (or network monitoring for that matter). Stating that something is a fact doesn't prove it to be so or prove it to be true.

I have personally encountered many, many such websites with many of those encounters being documented within this community. Not a single one of those websites has ever required registration for usage.

I have already refuted the referenced claims. The ones I refuted here are even more outrageous.

Again, your opinion doesn't make something a fact. "Easiness of opening and operation" is by no means an adequate criteria for "best choice" regardless of whether one only wants to obtain a certificate.

No, it's not under discussion. I've spent untold hours in this community and have heard virtually no such consideration. To the best of my knowledge, this type of client will never have support here. It's not shelved. It's decidedly dead for third parties.

Again, no 3rd party website client of the multitudes I have encountered requires registration to use. I personally find the page of this client to be overwhelming and difficult to read, making it difficult to navigate and use. No such website client is listed on the official clients page, making it utterly impossible to evaluate the "betterness" of this client compared to nothing.

Most potential users of this client would lack all necessary skills to do either of the demanded functions, thus making their easiness to perform being nonexistent. Just because something is easy in your opinion does not make it universally easy. Virtually no one will want to take the time to perform the demanded functions nonetheless learn how to perform them.


I understand perfectly what this client does and how it operates per your repetitive description. It is yet another punchsalad albeit with far more features and info, but far more difficult to comprehend.

I laud your efforts of writing a client and structuring such a large amount of information. IMO with further research of the field and existing offerings, I believe that you may find a niche for your development efforts. I merely want to provide an honest and academic review of what you have presented here and the claims you have made.

5 Likes