Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Announces Certbot Client For Let's Encrypt (eff.org)

Posted by EditorDavid on from the certified-letters dept.

Peter Eckersley, the staff technologist for the Electronic Frontier Foundation, writes: EFF has just launched Certbot, which is the next iteration of the Let's Encrypt client. It's a powerful tool for obtaining TLS/SSL certificates from Let's Encrypt, and (if you wish) automatically installing them to enable and tune HTTPS on your website. It's extensible, and supports a rapidly-growing range of server software.
As of last week more than three million certificates had been issued, according to EFF.org, and despite a new name and host, Certbot "will still get certificates from Let's Encrypt and automatically configure HTTPS on your webserver.... We expect OS packages to begin using the Certbot name in the next few weeks as well."

18 of 29 comments (clear)

  1. CPanel by U2xhc2hkb3QgU3Vja3M · · Score: 2

    Any web hosting service worth the price will have an up-to-date CPanel that already has an easy-to-use "Let's encrypt" option.

    1. Re:CPanel by EphemeralEclipse · · Score: 1

      There are a lot of us who have our own servers for various use cases in the form of Virtual Private Server and Dedicated. This tool, if works as advertised, will make my life much easier. No more configuring webservers manually to point to the cert directory I downloaded using let's encrypt's webroot tool. Benefit of this is that it seems like it will be supported by EFF as well, which trumps a lot of third-party tools on Github that might one-day go on unmaintained.

    2. Re:CPanel by gmack · · Score: 1

      Those of us who prefer a hosting system that does not run the webserver as the same user the files of the website were owned by still need something workable.

  2. Re:Still depends on gcc? Still needs root? by NotInHere · · Score: 4, Informative

    You need to prove to Let's encrypt that you own the domain. For that you have to add a special file to a special place inside the http accessible part of the website. This special file can only be added by root. Other than that there are multiple ACME clients available if you dont like one you can use others as well.

    https://community.letsencrypt....

  3. Why need root to write to your own site's htdocs? by tepples · · Score: 1

    You need to prove to Let's encrypt that you own the domain. For that you have to add a special file to a special place inside the http accessible part of the website. This special file can only be added by root.

    Why can't a process running under the user account of the website's owner write to a folder owned by the website's owner? As far as I can tell, the only part that ought to need superuser privilege is configuring the web server to use a particular certificate.

    Other than that there are multiple ACME clients available if you dont like one you can use others as well.

    The shared hosting provider WebFaction refuses to make automatic Let's Encrypt support available or let users programmatically upload a private key and certificate. Instead, the user has to submit a support ticket every time the certificate changes. This led to the creation of a passive-aggressive ACME client called letsencrypt-webfaction, which automates obtaining the certificate and filing a support ticket every two months.

  4. Hiawatha webserver and Let's Encrypt by Aethedor · · Score: 1

    The latest release of the Hiawatha webserver has its own Let's Encrypt script included. Seems to work ok. Anybody tried Hiawatha yet? How good is it?

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
  5. Still no official Windows client? by rklrkl · · Score: 1

    It's surprising that after all this time in beta and a move of its home to EFF, there still doesn't appear to be an official client for Windows Servers running IIS. Yes, there's several unofficial Windows clients, but am I supposed to trust them and even if I did, which one is the best?

    1. Re:Still no official Windows client? by krelvin · · Score: 1

      Would most likely get a better answer via their support forum at Let's encrypt than hoping for a good answer here.

  6. Re:Still depends on gcc? Still needs root? by CRC'99 · · Score: 4, Informative

    You need to prove to Let's encrypt that you own the domain. For that you have to add a special file to a special place inside the http accessible part of the website.

    So, I'd also have to open up the standard HTTP port to outside traffic just so they can check I 'own the domain'? that, and the idea of running
    a 'certificate management agent' on my web server....

    I've been using StartSSL's free certs for that exact reason. They've got free 1 year certs vs LE's 30 days - and recently they've done a StartAPI to get these automagically.

    Right now though, they still use HTTP validation - like LE - but hoping they'll have other options.

    I've also just finished a proof of concept implementation of their API at https://github.com/CRCinAU/sta...

    Hoping to get some review on it and hopefully some submissions to add to the functionality.

    --
    Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
  7. Re:Still depends on gcc? Still needs root? by CRC'99 · · Score: 2

    Hah - and being too quick on the Submit button, I forgot the more important point I was getting at... (Say, I should apply to be an editor)

    Once you validate the root domain with StartSSL / StartAPI, you can create certificates for any subdomain attached to that domain - so you don't have to have port 80 to the world - or even a web server installed on anything but the root domain - and most people already have a setup like www.mydomain.com / mydomain.com going to the same web server.

    --
    Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
  8. Re:Still depends on gcc? Still needs root? by motokochan · · Score: 2

    You don't need to be root to add the challenge file, just have permission to write to the website folder.

    You can also use DNS verification, although that method is not present in Certbot yet. There are a few third-party clients that do support that method, however.

  9. certs by fyngyrz · · Score: 1

    Was this the service that provided certs of short-length expiration, a year or so?

    Or am I thinking of something else?

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:certs by fyngyrz · · Score: 1

      Ah. Well, okay, then this: Why not just issue a certificate that works long term and doesn't require unnecessary network activity and exposure?

      I presume there is some benefit this is supposed to provide, but I'm sure not seeing it.

      --
      I've fallen off your lawn, and I can't get up.
    2. Re:certs by JesseMcDonald · · Score: 1

      Given the fact that certificate revocation lists have not proven particularly effective, the advantage of the short renewal period is that a compromised certificate can only be used for a few months at most before it expires naturally. This requires a bit more (automated) network activity, but reduces the exposure to attacks against the site's private keys.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    3. Re:certs by fyngyrz · · Score: 1

      And these attacks, uses of compromised certificates, are they common enough to justify this level of paranoia?

      --
      I've fallen off your lawn, and I can't get up.
    4. Re:certs by fyngyrz · · Score: 1

      Also, can the automated process be compromised? Seems like if you can get a site's certs, you can probably compromise the cert-obtaining automation as well, no?

      --
      I've fallen off your lawn, and I can't get up.
    5. Re:certs by JesseMcDonald · · Score: 1

      Seems like if you can get a site's certs, you can probably compromise the cert-obtaining automation as well, no?

      In the most typical installations, probably, though there are ways to prevent that. The automation doesn't actually need to run on the same machine as the main site, much less under the same user account. The script just needs to be able to publish a file at a well-known HTTP URL on the target domain—the operator could easily arrange to have that request forwarded elsewhere, and pass the new certificates to the server through a dedicated channel. A reverse proxy could also be employed to keep the HTTPS certificates away from the server running the main site, which is the most likely target for attack.

      In any case, even if one assumes that the server itself is compromised along with the certs, fixing that is just a matter of cleaning up or replacing the server, whereas the compromised certificates remain a threat until they eventually expire. Once the server is fixed the attacker won't be able to obtain any new certificates.

      The threat model is an attacker with one-time access to the certificates and the ability to mount an active MitM attack, but not persistent control over the server; if the attacker controlled the server itself they wouldn't need to compromise the certificates.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  10. Re:Convenience by tepples · · Score: 1

    But to set that up you need knowledge of how to set permissions

    All you really need to do is set up suexec. Then your CGI and FastCGI scripts run as you, and the ACME client running as you can write to the challenge folder that you own.