1. 25

letskencrypt: https://github.com/kristapsdz/letskencrypt

and on cvsweb (when it updates).

  1.  

  2. 4

    It’s super exciting to see OpenBSD bundle a letsencrypt client. Although, I find it interesting that letskencrypt claims to be more secure since it’s written in C, which is contrary to common knowledge now.

    The real killer security feature seems to be its privsep architecture, which is definitely worth bragging about. That part is great.

    1. [Comment removed by author]

      1. 1

        Thats a good start, but how far is it reviewed? Is there any thread about the import process I did not find in the mail archive?

        /* FIXME: is this necessary? */
        tls_config_insecure_noverifycert(http->cfg);
        
        1. 1

          The cool thing about many of these little tools that grew up near OpenBSD is that they’re often so small and clean that you can do your own review and it won’t take all that long. Maybe you’ll catch an issue you can report to tech@, or you just gain confidence that there’s no big, glaring flaw just sitting there waiting to be seen (because nobody looked).

          In fact, I recommend people do that. Even those who aren’t expert C programmers. You can learn a lot while doing so. More importantly, we avoid the situation where everybody just trusts the next guy to do the review (it must be secure! people said so! someone must have reviewed it thoroughly!).

          You can do a fairly thorough review in just one evening. Compare with many of the tools and daemons from the Linux world that just somehow always happen to be at least an order of magnitude larger. And somehow messier. Then normal people who run the code just can’t be bothere to take a look in the source code. Just trust the maintainers. Follow the fashion.

    2. 3

      I’ve not used it yet, but this looks to be the most sane client I’ve seen yet. So many of the others want to do horrendous things, dissuading me from even trying Let’s Encrypt.

      All I want is something that will renew a certificate, and do it securely. No, I don’t want rubbish like rewriting web service configuration files, automatic daemon restarting, etc.

      1. 1

        The “generic” behavior of the “certbot” client just needs write access to your webroot (“just”, but it’s kind of inherent to the protocol, and it’s not hard to isolate the letsencrypt writable path from the rest of your site). You’ll have to carefully configure or script getting the certs in place, but that’s at least straightforward and reproducible. If your web server heavily caches certs, you may have to do some hacking around that, but the overall process is about as non-heinous as you could hope.

      2. 3

        Admins: Can we maybe merge this discussion with https://lobste.rs/s/pwnfe2/lets_encrypt_client_imported_into?

        1. 2

          It says “No such message.”

          1. 2

            That’s great! It’s nice to see a C client (from what I understood), and also to see an OBSD developed alternative, standard Let’s Encrypt has stalled recently.

            1. 1

              I must apologize for this comment. Ignorant me thought we were talking about Encryptr the password manager, not about Let’s Encrypt the service that allows you to have free HTTPS.