[Cryptography] observations: Let's Encrypt certificate authority: free, automated, opensource, limited beta
John Denker
jsd at av8n.com
Wed Nov 4 15:08:20 EST 2015
I suppose most folks on this list know about Let's Encrypt:
https://letsencrypt.org/
The objective is to provide free DV ("domain validated")
certificates, and to provide an easy-to-use method (ACME)
for obtaining certificates. The ACME objectives and methods
are described here:
https://letsencrypt.github.io/acme-spec/
Executive summary: I reckon letsencrypt will be quite valuable
eventually. There has been some progress recently. It is already
better than nothing, although it still has some ease-of-use issues.
==============
Some informal observations:
1) The project /schedule/ has exhibited a lot of slippage. For
the last year or more, it has been slipping almost one month per
month (i.e. almost no externally-discernible progress at all).
HOWEVER recently there has been some discernible progress.
The thing is now in "limited" beta status. It is available
by invitation only, but you can request an invitation via:
https://community.letsencrypt.org/t/beta-program-announcements/1631
I mention this because folks on this list might be interested
in experimenting with it ... and because IMHO the system has
quite a few rough edges and would benefit from some constructive
feedback from people who know what they're talking about:
-- checking the security of the protocol
-- improving the usability of the UI
-- improving the documentation
2) I have not examined the security properties and have nothing
to say on the subject. This note focuses on usability issues.
3) After a modest amount of fussing with it, I got it to work.
Example:
https://xxx.av8n.com/
4) The command I ended up using was
>> ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -d xxx.av8n.com
Nuisances include:
*) It is easily confused if you use apache "VirtualHost" "ServerName"
features. You have to edit your .conf files to work around this.
*) The documentation is incomplete and not entirely consistent.
-- Some of the documentation tells you about the the --server option,
and some of it doesn't. If you leave it off, you get a certificate
issued by an untrusted "fake CA". If you include it, you get a
for-real cert, trusted by typical browsers.
-- Some of the documentation tells you about the -d option, and
some of it doesn't.
*) Once you get the certificates, you have to do some more editing
to link them into your .conf files. Again you have to read
disparate bits of documentation to figure out the details. The
command creates an example file but doesn't tell you about it,
and it neither fully complete nor fully correct. I reckon anybody
on this list can figure it out ... but it's a long way from
meeting the project's stated objective of being "easy to use".
Hint:
<VirtualHost *:443>
ServerName xxx.av8n.com
SSLCertificateFile /etc/letsencrypt/live/xxx.av8n.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxx.av8n.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/xxx.av8n.com/chain.pem
DocumentRoot /var/www/xxx
Include /etc/apache2/sites-available/generic-ssl.conf
</VirtualHost>
More information about the cryptography
mailing list