[Cryptography] observations: Let's Encrypt certificate authority: free, automated, opensource, limited beta

John Denker jsd at av8n.com
Wed Nov 4 15:08:20 EST 2015 

I suppose most folks on this list know about Let's Encrypt:
  https://letsencrypt.org/

The objective is to provide free DV ("domain validated") 
certificates, and to provide an easy-to-use method (ACME) 
for obtaining certificates.  The ACME objectives and methods
are described here:
  https://letsencrypt.github.io/acme-spec/

Executive summary:  I reckon letsencrypt will be quite valuable
eventually.  There has been some progress recently.  It is already
better than nothing, although it still has some ease-of-use issues.

==============
Some informal observations:

1) The project /schedule/ has exhibited a lot of slippage.  For
 the last year or more, it has been slipping almost one month per
 month (i.e. almost no externally-discernible progress at all).

 HOWEVER recently there has been some discernible progress.
 The thing is now in "limited" beta status.  It is available
 by invitation only, but you can request an invitation via:
  https://community.letsencrypt.org/t/beta-program-announcements/1631

 I mention this because folks on this list might be interested
 in experimenting with it ... and because IMHO the system has
 quite a few rough edges and would benefit from some constructive
 feedback from people who know what they're talking about:
   -- checking the security of the protocol
   -- improving the usability of the UI
   -- improving the documentation

2) I have not examined the security properties and have nothing
 to say on the subject.  This note focuses on usability issues.

3) After a modest amount of fussing with it, I got it to work.
 Example:
   https://xxx.av8n.com/

4) The command I ended up using was
>> ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -d xxx.av8n.com

Nuisances include:
 *) It is easily confused if you use apache "VirtualHost" "ServerName"
  features.  You have to edit your .conf files to work around this.
 *) The documentation is incomplete and not entirely consistent.
  -- Some of the documentation tells you about the the --server option, 
   and some of it doesn't.  If you leave it off, you get a certificate
   issued by an untrusted "fake CA".  If you include it, you get a
   for-real cert, trusted by typical browsers.
  -- Some of the documentation tells you about the -d option, and
   some of it doesn't.
 *) Once you get the certificates, you have to do some more editing
  to link them into your .conf files.  Again you have to read 
  disparate bits of documentation to figure out the details.  The
  command creates an example file but doesn't tell you about it,
  and it neither fully complete nor fully correct.  I reckon anybody
  on this list can figure it out ... but it's a long way from 
  meeting the project's stated objective of being "easy to use".

Hint:
<VirtualHost *:443>
        ServerName xxx.av8n.com
        SSLCertificateFile      /etc/letsencrypt/live/xxx.av8n.com/cert.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/xxx.av8n.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/xxx.av8n.com/chain.pem
        DocumentRoot /var/www/xxx
        Include             /etc/apache2/sites-available/generic-ssl.conf
</VirtualHost>

More information about the cryptography mailing list