Slashdot Mirror

← Back to Stories (view on slashdot.org)

Let's Encrypt Is Now In Public Beta (eff.org)

Posted by timothy on from the first-person-plural dept.

Peter Eckersley writes: As of today, Let's Encrypt is in Public Beta. If you're comfortable running beta software that may have a few bugs and rough edges, you can use it to instantly obtain and install certificates for any HTTPS website or TLS service. You can find installation instructions here.

15 of 135 comments (clear)

  1. Shared hosting by tepples · · Score: 2

    From Introduction:

    The client requires root access

    Because a shared web hosting customer is not root, the hosting provider will have to install Let's Encrypt on behalf of its customers. I plan to open a support ticket with my hosting provider to request installation of Let's Encrypt. What are the most likely objections that a hosting provider might have to enabling this?

    1. Re:Shared hosting by tepples · · Score: 2

      Let's Encrypt already validates that the sender is authorized to speak for the domain. But you make it sound like there's no place for encryption in transit without stronger sender identification, ideally one verified against real-world credentials. Further, you make it sound like there ought to be an entry barrier to sender identification. Do I understand you correctly so far? And if so, how much ought the right to send to cost, in your opinion? Should individuals have the right to send, outside the course of a business?

  2. Very short certs. by gantzm · · Score: 5, Insightful

    They really want you to automate this. From the web site:

    Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.

    --


    Excessive forking causes un-wanted children.
    1. Re:Very short certs. by kthreadd · · Score: 4, Insightful

      So, hands up. Who has ever forgot to renew a three year cert before it expired?

  3. I was looking forward to this... by jez9999 · · Score: 5, Insightful

    Unfortunately, their MAXIMUM length of certificate is 90 days and it ain't getting longer; if anything they want to make them shorter in duration. So anyone who doesn't want to or can't, for whatever reason, run some cronjob on their server to auto-renew their certificates should give these guys a miss. Great shame that they let their "automate everything or GTFO" ideology override many people's legitimate need or desire for annual certificates.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:I was looking forward to this... by darkain · · Score: 2

      If they don't fit your needs, vote with your dollars. You're more that free to pay for certs from another organization!

      On that note: I initially had some issues with part of their implementation, too. But I'm working through it now by having a dedicated VM just for renewing my certs, and then that VM's cron script pushes the cert files to the actual web servers.

      It isn't that difficult to work around the limitations on their system right now if you just put a little thought into it.

    2. Re:I was looking forward to this... by Anonymous Coward · · Score: 2, Insightful

      It's probably the right decision though, because certificate revocation is terminally broken. Short-lived certificates are the only option to ensure that the expected audience won't have effectively irrevocable certificates floating around for years after losing control over the keys in a configuration mishap.

      However, I am certainly not going to trust them with root access to the server, partly because I don't have it myself, and partly because that should not be necessary at all.

  4. Lets run arbitrary code by silas_moeckel · · Score: 2

    With access to my server's private keys. Who does this sound like a good idea to?

    --
    No sir I dont like it.
  5. Re:But Why? by blackiner · · Score: 4, Informative

    There is a pretty writeup about modern TLS issues on lwn: http://lwn.net/Articles/664385...
    It seems that certificate revocation is not working particularly well in practice. The 90 day duration is meant to help with this, you can simply let the certificate expire.

  6. Re:Trust? by elusive_one · · Score: 2

    From: http://lwn.net/Articles/664385... It is hosted by the Linux Foundation and sponsored by the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai. Let's Encrypt also has a cooperation agreement with the certificate authority Identrust, which will sign the Let's Encrypt intermediate certificate. This cross-signature from an existing certificate authority will guarantee that the Let's Encrypt certificates will be accepted by all major web browsers.

  7. Re:DOA? by hey! · · Score: 3, Insightful

    This only looks hard because of a mental block people have about stuff that doesn't have a gui. In reality it's way often easier to copy and paste into a terminal window -- doing obvious substitutions for things like "www.example.com" -- than it is to try to read some gui designer's mind.

    You don't have to understand everything "git clone" does, any more than you have to understanding everything that happens behind the scenes when you click a button.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  8. Re:But Why? by kthreadd · · Score: 2

    There are so many certs now that revocation isn't working as nice as it used to be. It used to be that the user-agent would actually download a complete list of revoked certificates to compare against. That's not really viable so OCSP is used instead. Short-lived certs simply it since we only need to care about revoked certs for a more limited time, and it also encourages automation.

  9. Some people are just hard to please... by itsdapead · · Score: 3, Informative

    I understand that the target audience is admins, and that this is beta, but really?

    Have you ever had to generate a certificate request, get it signed by a CA and install it in your web server? Its not rocket science but its certainly tedious with a dense jargon thicket to battle through.
    ./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is
    ...is improvement beyond recognition.

    Anyway, there's a lot of infrastructure behind that command line that should make it easy for the likes of CPanel, Plesk or maybe even Wordpress to wrap it in a nice point-and-drool dialog.

    --
    In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
  10. Re:But Why? by itsdapead · · Score: 4, Informative

    Bear in mind that current free certificates from the likes of StartSSL expire after 1 year anyway - and are at least 4 times more hassle to obtain and install than Lets Encrypt is shaping up to be.

    --
    In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
  11. StartSSL process by tepples · · Score: 2

    Today I went through the StartSSL process to renew the certificate for a site because it'll more than likely expire before my hosting company has a chance to implement Let's Encrypt. StartSSL isn't really that different from GoDaddy, except for two things: you use a client certificate instead of a password to identify yourself, and verifying domain control and issuing the cert are split into two steps. One e-mail verification to get your individual client cert, another to verify the domain, then paste in the CSR, and a few minutes later, the class 1 domain-validated certificate is siting in your Tool Box. The biggest UI flaw is that the tabs on your user page (Tool Box, Certificates Wizard, Validations Wizard) are arranged in reverse order of how they're used. The second biggest is that the e-mail validation requires you to be aware of tabbed browsing or at least opening your webmail in a new window.

    I haven't tried WoSign. Is it any cleaner?