Why a client is needed?

aario · July 15, 2018, 10:34pm

My domain is: not yet

Hi,
I’m quite new to letsencrypt and searched for answer of my question for a good half an hour before posting it here. It might have been already answered by I couldn’t find one after lots of searches.
Background: I’m a PHP devleoper. Beside work, I have my own website hosted on shared hosting service which never uses any new technology including support of letsencrypt within their CPanel (I’m thinking of moving away from them forever to something more advanced but that’s another story).
I know that a SSL certificate is a pair of private and public keys. Since I heard about letsencrypt I thought it works like this:
I go to a website
I click sign up and follow a procedure
I login with my new account
There will be a green button named like ‘Create’ or ‘New’ and there we go! I have to read-only text inputs on the website to copy my new private and public keys! That’s it! Easy! Go ahead and enjoy your ssl. Just remember to come back within 90 days to renew it. Ok. Fair enough. Thanks!
But soon I realized it’s not the case. After spending around 2 hours reading tutorials, here I am. I need either root access to my poor caveman hosting service or I need to ask the caveman to figure out how to provide me letsencrypt support or go through all the hassles of migration to another hosting provider.

Question: Why I cannot simply copy paste two text files rather than installing, trusting and running cerbot or any other client with millions of lines of code in ruby/python or other languages from developers I don’t know? Why a super intelligent cutting edge API technology without any alternative option to login to a control panel and just copy paste texts?

Another question: Someday I will finally figure out how this thing works. But, if letsencrypt owners have any religious of philosophical belief that it should only be done by developers with root access to their host and no body else, is this LEGAL for me to make a website with login and a dashboard page where people can simply generate and copy paste two text files?! (And then I manage the website itself to connect to the letsencrypt API on behalf of my users and thus simplify the process for them)

danb35 · July 15, 2018, 10:42pm

You can. Take a look at zerossl.com. But as is always the case, the cert will be good for 90 days, so you'll need to repeat the process every few months.

This isn't it at all, but they do believe very strongly in automating the process, which is why their system doesn't work like you were expecting. In short, it works well for two groups:

People who administer their own servers, and
People whose web hosting directly support Let's Encrypt (and there are quite a lot of hosting providers who do)--with these, it's typically a matter of checking a box in your control panel to get and install the cert.

People without admin access to their servers, whose hosting provider doesn't support Let's Encrypt, will often be better served by a different CA.

mnordhoff · July 15, 2018, 10:46pm

Also, many clients can work from a non-root user account. But it limits what they can do and what they can automate for you since, for example, it usually requires root to listen on port 80, or modify the web server configuration.

(Even Certbot, but it’s intended to be run as root.)

system · August 14, 2018, 10:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.