Hi community,
Any feedback on if https://gethttpsforfree.com/ is reliable and safe?
I realise security is better than on sites where they have your private key, and the guy who wrote this seems genuine.
2 Likes
Let's Encrypt offers a list of ACME Client Implementations. It doesn't include any broswer implementations, citing
Some in-browser ACME clients are available, but we do not list them here because they encourage a manual renewal workflow that results in a poor user experience and increases the risk of missed renewals.
Depending on what threat model your assessing, this in-browser client might not be considered safe because of the manual renewal aspect. If you don't/can't renew and install and updated certificate before the current one expires, your site won't be accessible with a valid certificate. I cannot speak to any other reliable or safe aspects.
3 Likes
As someone who has actually used gethttpsforfree.com many times, I can tell you that it is absolutely the gold standard when it comes to security. There are literally hundreds of references to that site in this community. It was the basis of the design of my own ACME client, is written entirely in Javascript, can be fully downloaded, and has excellent commenting for understanding the ACME process (though the design is a bit convoluted due to using Javascript to update the interface without ever reloading the page).
All that said... gethttpsforfree.com is also the most laborious and tedious ACME client you will ever come across. One mistake or working too slowly will result in repeating an hour of manual labor.
Just be aware that the public key it requests early in the process corresponds to the private key that you create for your ACME account and cannot be the same as the public key in your certificate signing request (CSR)!
2 Likes
Thanks for the reply. Would you endorse any other site instead, that isn't so laborious?
Rob
2 Likes
Honestly, at the moment, no. I would have recommended my own, but I've since shut it down to adapt my ACME client to be a "drop-in" PHP file that uses htyp-01 challenges instead of dns-01. There are a number of website clients out there.
Guidelines
- Never, ever, ever let a remote website ACME client generate your CSR (and thus your certificate private key) for you no matter what promises they make
- Never, ever, ever submit your private key to a website ACME client
- Be aware that the remote website ACME client might be using its own ACME account key and thus have the power to generate certificates for your validated domain names for 30 days.
- Be aware that the remote website ACME client might be using its own ACME account key and thus have the power to revoke any certificates generated using that ACME account
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.