Hello,
May I ask about let's encrypt providers except zerossl /sslforfree that I can use to get a wildcard key?
I want to upload a CSR and download the key (i.e. don't want to install software on the server).
Regards,
Mac
1 Like
Welcome to the Let's Encrypt Community, Mac 
I used to run one such service for obtaining Let's Encrypt certificates via a webpage interface, which I created when ZeroSSL bought SSLForFree. It violated several aspects of the Let's Encrypt Subscriber Agreement, so I took it down. There is one such service remaining that can be fully trusted (gethttpsforfree.com), but it is manually intensive to use. In case it might be better for you, I adapted my ACME client to work for those who use shared hosting and don't have root access to their servers (like if you use cPanel with GoDaddy). It requires only copying a single PHP file onto your server and runs through a web page right from your server. The code is completely open, so you can easily see that there's nothing strange going on. Let me know if you're interested as it might save you loads of time and effort.
edit:
I just read that you want a wildcard. My current client uses http-01 instead of dns-01 challenges (necessary for wildcard certificates). Do you specifically require a wildcard certificate?
2 Likes
Hi @wmac
that's something you should
- never
- never
- never
do.
Change that. You can install a client
on your local pc (not your webserver), then use something like manual, certonly (no installation) and dns-validation (to create a wildcard) to create a certificate, then install it manual.
But that's terrible -> you have to do that every 60 - 85 days.
That's the reason you should install a client on your server -> to automate the installation.
A webbased ACME client where the private key is only generated on the clients host and never send to the ACME client is perfectly fine from a security point of view.
So with three times "never" in your post (which is kinda strong), could you perhaps clarify? Might make more sense to the OP if you did.
2 Likes
Then you really don't want to use Let's Encrypt. Let's Encrypt is designed, from the ground up, to be automated, such that you'd have a software client automatically renewing the cert every 60 days or so. They don't prevent it from being used as you describe, but they don't facilitate it either, and they certainly don't encourage it.
But if you really want to fight the design of the system, gethttpsforfree.com would likely do the job.
2 Likes
- The account key is somewhere, so the unknown third party can create certificates the next 30 days without validation
- A user isn't able to check these things (checking the source code)
So only solution: Avoid using such third party online tools.
And - per design - automation is required. That requires enough rights to install the certificate and to restart the webserver. So using Letsencrypt certificates -> local installation is required.
So that's
the wrong idea, not LE-compatible.
Clearly that's actually impossible when using gethttpsforfree.com since the user must manually do all of the following on his own server using openssl:
- Generate his own account private key
- Generate his own certificate private key and CSR
- Sign every ACME request himself
The only time I've ever seen anyone expose anything to that website is in accidentally submitting an account private key instead of an account public key to the website, which the website warns the user in bold not to do.
By the author's own words of gethttpsforfree.com, the Javascript source code can be downloaded, inspected, and ran locally rather than on the website. I used the well-commented and complete source code as a working example when building my own ACME client (as have many others).
Honestly, the pain of using gethttpsforfree.com once is usually enough to bring many people to the side of installing an ACME client. I've had several loyal users of my own ACME client come from this path. 
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.