EFF Announces Certbot Client For Let's Encrypt

Peter Eckersley, the staff technologist for the Electronic Frontier Foundation, writes: EFF has just launched Certbot, which is the next iteration of the Let's Encrypt client. It's a powerful tool for obtaining TLS/SSL certificates from Let's Encrypt, and (if you wish) automatically installing them to enable and tune HTTPS on your website. It's extensible, and supports a rapidly-growing range of server software.
As of last week more than three million certificates had been issued, according to EFF.org, and despite a new name and host, Certbot "will still get certificates from Let's Encrypt and automatically configure HTTPS on your webserver.... We expect OS packages to begin using the Certbot name in the next few weeks as well."

CPanel

[U2xhc2hkb3QgU3Vja3M]

Any web hosting service worth the price will have an up-to-date CPanel that already has an easy-to-use "Let's encrypt" option.

Re:

[EphemeralEclipse]

There are a lot of us who have our own servers for various use cases in the form of Virtual Private Server and Dedicated. This tool, if works as advertised, will make my life much easier. No more configuring webservers manually to point to the cert directory I downloaded using let's encrypt's webroot tool. Benefit of this is that it seems like it will be supported by EFF as well, which trumps a lot of third-party tools on Github that might one-day go on unmaintained.

Re:

[gmack]

Those of us who prefer a hosting system that does not run the webserver as the same user the files of the website were owned by still need something workable.

certs

[fyngyrz]

Was this the service that provided certs of short-length expiration, a year or so?

Or am I thinking of something else?

Re:Still depends on gcc? Still needs root?

[NotInHere]

You need to prove to Let's encrypt that you own the domain. For that you have to add a special file to a special place inside the http accessible part of the website. This special file can only be added by root. Other than that there are multiple ACME clients available if you dont like one you can use others as well.

https://community.letsencrypt.... [letsencrypt.org]

Why need root to write to your own site's htdocs?

[tepples]

You need to prove to Let's encrypt that you own the domain. For that you have to add a special file to a special place inside the http accessible part of the website. This special file can only be added by root.

Why can't a process running under the user account of the website's owner write to a folder owned by the website's owner? As far as I can tell, the only part that ought to need superuser privilege is configuring the web server to use a particular certificate.

Other than that there are multiple ACME clients available if you dont like one you can use others as well.

The shared hosting provider WebFaction refuses to make automatic Let's Encrypt support available or let users programmatically upload a private key and certificate. Instead, the user has to submit a support ticket every time the certificate changes. Thi

Re:Still depends on gcc? Still needs root?

[CRC'99]

You need to prove to Let's encrypt that you own the domain. For that you have to add a special file to a special place inside the http accessible part of the website.

So, I'd also have to open up the standard HTTP port to outside traffic just so they can check I 'own the domain'? that, and the idea of running
a 'certificate management agent' on my web server....

I've been using StartSSL's free certs for that exact reason. They've got free 1 year certs vs LE's 30 days - and recently they've done a StartAPI to get these automagically.

Right now though, they still use HTTP validation - like LE - but hoping they'll have other options.

I've also just finished a proof of concept implementation of their API at https://github.com/CRCinAU/sta... [github.com]

Hoping to get some review on it and hopefully some submissions to add to the functionality.

Re:

[CRC'99]

Hah - and being too quick on the Submit button, I forgot the more important point I was getting at... (Say, I should apply to be an editor)

Once you validate the root domain with StartSSL / StartAPI, you can create certificates for any subdomain attached to that domain - so you don't have to have port 80 to the world - or even a web server installed on anything but the root domain - and most people already have a setup like www.mydomain.com / mydomain.com going to the same web server.

Re:

[motokochan]

You don't need to be root to add the challenge file, just have permission to write to the website folder.

You can also use DNS verification, although that method is not present in Certbot yet. There are a few third-party clients that do support that method, however.

Hiawatha webserver and Let's Encrypt

[Aethedor]

The latest release of the Hiawatha webserver [hiawatha-webserver.org] has its own Let's Encrypt script included. Seems to work ok. Anybody tried Hiawatha yet? How good is it?

Still no official Windows client?

[rklrkl]

It's surprising that after all this time in beta and a move of its home to EFF, there still doesn't appear to be an official client for Windows Servers running IIS. Yes, there's several unofficial Windows clients, but am I supposed to trust them and even if I did, which one is the best?

Re:

[krelvin]

Would most likely get a better answer via their support forum at Let's encrypt than hoping for a good answer here.