Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Tuesday November 10 2015, @07:37PM   Printer-friendly [Skip to comment(s)]
from the help-us-wring-out-our-beta dept.

El Reg reports:

Hoping to expand the pool of Let's Encrypt testers, TrueCrypt audit project co-founder Kenneth White has run up a set of scripts to automate the process of installing certificates under the Mozilla-backed open CA.

White, co-director of the Open Crypto Audit Project, has posted the work at Github, here. He explains that the project is quite simple, consisting of Python scripts to "stand up the official Let's Encrypt certificate management ACME client tool" in the target environments.

These include Debian, Amazon's Linux (for AWS), CentOS, RedHat, and FreeBSD.

[...]White says [...] the official client "can be fragile and error-prone on some systems".

Having had to batter his own head against the client, White [...] says he cleaned up the process in his scripts to make Let's Encrypt more accessible to other users.

He warns against running either the Let's Encrypt client or his scripts in production systems:

"LE is still in beta and has some rough edges", White notes, "including silently invoking sudo and installing quite a few development packages".

Previous: The "Let's Encrypt" Project Generates Root and Intermediate Certificates
Let's Encrypt Has Issued Its First Gratis SSL/TLS Certificate


Original Submission

Related Stories

The "Let's Encrypt" Project Generates Root and Intermediate Certificates 28 comments

Let's Encrypt has announced the generation of root and intermediate certificates, share the public keys, and show the layout of their operational structure. The keys are RSA (the Rivest, Shamir, and Adleman algorithm) for now with ECDSA (Elliptic Curve Digital Signature Algorithm) versions coming later this year.

The root certificates are for the Internet Security Research Group (ISRG) and separately for the Online Certificate Status Protocol (OCSP) for the ISRG. OCSP is described in RFC 6960 and used for revocation of certificates.

The intermediate certificates are for two different intermediate Let's Encrypt CA (Certificate Authority) servers named/numbered X1 and X2. These are cross-signed by the IdenTrust root CA for ease of deployment and use by existing browsers without the need for any modifications until the browsers add the ISRG root CA through updates. The Let's Encrypt intermediate CA X2 is only intended for disaster recovery in case of a non-functional X1. The Let's Encrypt announcement has a schematic of the structure.

The target is (or was) to launch the Let's Encrypt service in the second quarter of 2015 (which ends this month) and they plan on further announcements during the next few weeks.


Original Submission

Let's Encrypt Has Issued Its First Gratis SSL/TLS Certificate 19 comments

Josh Aas of The Internet Security Research Group reported on September 14:

Let's Encrypt passed another major milestone by issuing our first certificate. You can see it in action here

Our cross signature is not yet in place, however this certificate is fully functional for clients with the ISRG root in their trust store. When we are cross signed, approximately a month from now, our certificates will work just about anywhere while our root propagates. We submitted initial applications to the root programs for Mozilla, Google, Microsoft, and Apple today.

We're thrilled to finally be a live [certificate authority]. We'll be working towards general availability over the next couple of months by issuing certificates to domains participating in our beta program. You can request that your domain be included in our beta program by clicking here.

If you want to get involved with Let's Encrypt, please visit this page.


See our prior coverage: EFF Offers Free Certificate Authority to Dramatically Increase Encrypted Internet Traffic, The "Let's Encrypt" Project Generates Root and Intermediate Certificates, and "Let's Encrypt" gets a Launch Schedule.

Original Submission

Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web 30 comments

Professor J. Alex Halderman, the noted election security researcher, along with his co-authors, have published a summary of Let's Encrypt, its components, and what it does. (Warning for PDF.) The service Let's Encrypt is a free, automated, open certificate authority (CA) to provide TLS certificates. These are usually for web sites, enabling them to provide HTTPS connections.

Since its launch in late 2015, Let's Encrypt has grown to become the world's largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January 2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let's Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME, the IETF-standard protocol we created to automate CA–server interactions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let's Encrypt's impact on the Web and the CA ecosystem. We hope that the success of Let's Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure.

[...] Prior to our work, a major barrier to wider HTTPS adoption was that deploying it was complicated, expensive, and error-prone for server operators. Let's Encrypt overcomes these through a strategy of automation: identity validation, certificate issuance, and server configuration are fully robotic, which also results in low marginal costs and enables the CA to provide certificates at no charge. We designed Let's Encrypt to scale to the size of the entire Web. In just over three years of operation, it is well on its way: it has issued over 538 million certificates and accounts for more valid browser-trusted certificates than all other CAs combined. We hope that in the near future, clients will start using HTTPS as the default Web transport. Eventually, we may marvel that there was ever a time when Web traffic traveled over the Internet as plaintext.

Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web, Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Pages 2473-2487 (DOI: 10.1145/3319535.3363192

Earlier on SN:
Let's Encrypt to Transition to ISRG Root (2019)
Three Years Later, Let's Encrypt Has Issued Over 380 Million HTTPS Certificates (2018)
Let's Encrypt is Now Officially Trusted by All Major Root Programs (2018)
Let's Encrypt Takes Free "Wildcard" Certificates Live (2018)
Free Certs Come With a Cost (2017)
Let's Encrypt Issues 100 Millionth Certificate (2017)
Let's Encrypt Won its Comodo Trademark Battle - but Now Fan Tools Must Rename (2016)
Let's Encrypt Gets Automation (2015)


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday November 10 2015, @07:49PM

    by Anonymous Coward on Tuesday November 10 2015, @07:49PM (#261402)

    No such thing.

    • (Score: 2) by davester666 on Wednesday November 11 2015, @03:39AM

      by davester666 (155) on Wednesday November 11 2015, @03:39AM (#261572)

      you hope there is "no such thing"

  • (Score: 2) by PizzaRollPlinkett on Tuesday November 10 2015, @08:01PM

    by PizzaRollPlinkett (4512) on Tuesday November 10 2015, @08:01PM (#261406)

    Hey, this is a good technical story that I like. But the headline doesn't parse. You read it and ask how you encrypt gets.

    "Let's Encrypt" Software Gets Automation

    Testers Get "Let's Encrypt" Automated Scripts

    I like the second one, especially if you could work Python into it, because it tells you this is a cool technical story you want to read.

    --
    (E-mail me if you want a pizza roll!)
    • (Score: 2) by frojack on Wednesday November 11 2015, @01:04AM

      by frojack (1554) Subscriber Badge on Wednesday November 11 2015, @01:04AM (#261518) Journal

      Had you been paying attention to Lets Encrypt all along, this would be a non-story, because automation of the certificate process was the WHOLE focus of Let's Encrypt.

      The automation handles the application process, as well as the installation process, as well as the refresh process for certificates that occurs every 90 days. (Yes, short duration certs are preferable).

      The scripts are all right there at the second link for anyone to see.

      --
      No, you are mistaken. I've always had this sig.
  • (Score: 2) by opinionated_science on Tuesday November 10 2015, @08:04PM

    by opinionated_science (4031) on Tuesday November 10 2015, @08:04PM (#261408)
    • (Score: 2) by frojack on Wednesday November 11 2015, @01:12AM

      by frojack (1554) Subscriber Badge on Wednesday November 11 2015, @01:12AM (#261521) Journal

      From your own link:

      There is only one command that needs to be run as root on your server and it is a very simple python https server (sic) that you can inspect for yourself before you run it.

      A distinction without a difference. The other scripts are are available for inspection too.

      But your point is valid, using either method would be allowing some third party to make changes to your computer. What should happen is that these scripts should run as a special user on Linux, and that user should be highly restricted in any sudo command it could invoke.
      (Of course this involves editing your susoers.)

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by FatPhil on Wednesday November 11 2015, @06:14PM

        by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday November 11 2015, @06:14PM (#261846) Homepage
        And that process contains a call to subprocess.Popen().

        Which means that other shit is being run as root, and this script is "protecting" you from having to know that. Nice.
        --
        I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: 0) by Anonymous Coward on Tuesday November 10 2015, @08:26PM

    by Anonymous Coward on Tuesday November 10 2015, @08:26PM (#261417)

    I still have to connect to open wifi networks. https plz.

    • (Score: 2) by Zinho on Tuesday November 10 2015, @09:04PM

      by Zinho (759) on Tuesday November 10 2015, @09:04PM (#261430)

      I still have to connect to open wifi networks. https plz.

      Yep, that's what this project is trying to make happen. The LetsEncrypt.org domain is enabled by default in the EncryptedWeb add-on for Pale Moon, so they're leading by example. The sooner Web administrators have easy access to self-signed certificates trustable by everyone's browsers the better off we'll all be.

      --
      "Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
      • (Score: 4, Informative) by draconx on Tuesday November 10 2015, @09:31PM

        by draconx (4649) on Tuesday November 10 2015, @09:31PM (#261440)

        I still have to connect to open wifi networks. https plz.

        Yep, that's what this project is trying to make happen ... The sooner Web administrators have easy access to self-signed certificates trustable by everyone's browsers the better off we'll all be.

        These aren't self-signed certs. They are domain validated (DV) certs signed by the Let's Encrypt certificate authority.

        • (Score: 2) by Zinho on Wednesday November 11 2015, @02:39PM

          by Zinho (759) on Wednesday November 11 2015, @02:39PM (#261732)

          Even better, thanks for the correction.

          --
          "Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
  • (Score: 0) by Anonymous Coward on Tuesday November 10 2015, @08:58PM

    by Anonymous Coward on Tuesday November 10 2015, @08:58PM (#261426)

    As of the last article my Pale Moon install wasn't working with their new keys. Today it does. I'm glad to see them making progress on this, self-signing should not be a second-class ghetto for Internet security.

    Test your browser, [letsencrypt.org] see whether you're ready for the new CA to come online.

  • (Score: 0) by Anonymous Coward on Wednesday November 11 2015, @01:03PM

    by Anonymous Coward on Wednesday November 11 2015, @01:03PM (#261706)

    Just give me the cert pack and let me install it myself. Why the hell is that too much to ask for? I can be trusted to run a server but not to install my own certs? FAIL...

    • (Score: 2) by tempest on Wednesday November 11 2015, @03:18PM

      by tempest (3050) on Wednesday November 11 2015, @03:18PM (#261751)

      If you want to apply for a free certificate you install yourself, StartSSL already offers them.

    • (Score: 2) by urza9814 on Thursday November 12 2015, @09:04PM

      by urza9814 (3954) on Thursday November 12 2015, @09:04PM (#262358) Journal

      According to their website [letsencrypt.org], you can install these certs manually too if you'd like. But since they only issue 90 day certs, they suggest you automate it.