Now I'm gonna give you a few reasons not to use let's encrypt: it forces you to keep a piece of software that can generate keys in your server. It forces you to reload your web server config every two months, unattended (they won't issue certs valid for more than 90 days). The alernative would be to do the process manually every two months(wtf?). Also, its certificates are not trusted in Windows XP.
Now, as part of these piss-poor authoritarian decisions and attitude, someone is trying to trick startssl users into using let's encrypt posting this crap with circumstantial evidence about China and Startssl. I hope you fail miserably.
No, I have no ties to Startssl whatsoever. And it's been ages since I last used their service.
It does not force you to use any particular software. You can even write your own client.
Shorter validity time makes your users safer. If you lose the private key, it will only be a problem for three monts or less. Reloading your webserver should be a complete non-issue.
Because everyone should love to waste their time writing their own client. And running let'sencrypt scripts as root. And risking their security. And/or renewing certificates every now and then instead of focusing on stuff that matters. And anyone who disagreees should be downvoted to oblivion. YEAH!
I'm quite happy with simp_le[1] which doesn't require root. Renewals can happen automatically. All you need to do is monitor your certificates as you would anyway.
You don't have to run anything as root if you don't want to. There are tons of clients out there without that requirement. Your argument is basically that Let's Encrypt should have put more focus on working like other CAs do, while they decided to focus on better security and automation. Luckily, there are plenty of other CAs out there, and it's quite likely that more of them will start offering free DV certs soon, so it's not like Let's Encrypt is forcing you to do anything you don't want to.
I don't think anyone will be offering free DV certs while let's encrypt is still so dysfunctional and unusable in a real life situation. There was the potential for that, sure, but they've screwed up.
Two CAs already do this (StartSSL, WoSign). FWIW, there's a blog post by CertSimple[1] kind of confirming this is coming (no sources or specifics, though).
tobltobs: If you say I'm lying you should point out the falsehoods, or you're just another manipulator at work. At least pfg isn't arguing whether I'm telling the truth, he just has a different opinion.
> it forces you to keep a piece of software that can generate keys in your server.
wrong, there are different ways to get a cert, even web interfaces, which you can install everywhere.
> It forces you to reload your web server config every two months, unattended
wrong, if you like that kind of work you can replace it by hand.
> Because everyone should love to waste their time writing their own client.
wrong, because again you are not forced to, you could use one of the many clients available.
> And running let'sencrypt scripts as root. And risking their security.
You don't have to run at root, you could use a client which supports non root.
> If you say I'm lying you should point out the falsehoods, or you're just another manipulator at work.
Wrong again, because your errors have been pointed out already by others. You should start reading the answers and stop your "rage against censorship" quest.
Not wrong. You're forced to do all that if you don't want to spend inordinate amounts of money/time on maintaining the server. There are so many cheap certificates available -which are much simpler to use- that it's not worth the hassle, not by a long shot.
Now I'm gonna give you a few reasons not to use let's encrypt: it forces you to keep a piece of software that can generate keys in your server. It forces you to reload your web server config every two months, unattended (they won't issue certs valid for more than 90 days). The alernative would be to do the process manually every two months(wtf?). Also, its certificates are not trusted in Windows XP.
Now, as part of these piss-poor authoritarian decisions and attitude, someone is trying to trick startssl users into using let's encrypt posting this crap with circumstantial evidence about China and Startssl. I hope you fail miserably.
No, I have no ties to Startssl whatsoever. And it's been ages since I last used their service.