Let's Encrypt Usability Suggestions

1 post / 0 new
#1 Fri, 04/29/2016 - 22:39

Let's Encrypt Usability Suggestions

Several times I have used the new built-in certificate request for Let's Encrypt and it went well. However, when it does not work, I felt particularly blinded and helpless. I have these suggestions to make the process feel more polished and less tacked-on.

First, see this illustration: http://i.imgur.com/yghcl82.jpg

1) To choose "Request certificate for" is confusing. We are currently presented two radio buttons, the first button is pre-checked, and "domain.com www.domain.com" will be submitted. Below this is a blank box to enter a different group of domains and sub-domains. The problem is that when you type text in this box, the second radio button does not automatically get marked. Also, to include "domain.com www.domain.com" along with additional domains, you have to cut and paste it over. It's easy to forget to do either or both things and end up with a cert that wasn't what was wanted. Solution: Don't have two radio buttons! Just have a single entry box which already has "domain.com www.domain.com" entered along with instructions nearby inviting the admin to enter additional domains. A nice touch would be to add a check-box to add "mail.domain.com", so that a temporary server redirect can be put in place to satisfy the acme-challenge when there is no actual website at that subdomain.

2) Once a certificate has been requested, there is no output on the screen until it has either succeeded or it has failed. The timeout runs 25 minutes or more when it fails! Instead of buffering all output to display afterwards, use the same method seen in other parts of Virtualmin where the output is shown on the screen line-by-line in realtime.

3) When the request is taking too long, it would be nice to regain control of our server gracefully. A Cancel button would be appreciated!

4) When updating a domain which already has a Let's Encrypt cert to add more subdomains, etc., and this update fails, one finds the domain now has a self-signed cert. Does this make sense? No! When running the request cert script, don't be destructive of the existing cert unless the cert request was successful! At least save the state first, and provide a "restore previous cert" button.

5) No admin wants a cert to run out unexpectedly. It makes more sense to pre-check "automatic renewal" and pre-enter a sensible number of months.

6) Until the Let's Encrypt request script is working for everyone, It would be kind to have it's output be even more verbose. Here on the forums we have found out what causes some of the failure messages, so it makes sense to add comments in the output which would be helpful for the admin to troubleshoot. It might even be wise to pre-check a few conditions so we don't have to wait for Let'sEncrypt to timeout.

I hope you like my suggestions and other will add their own here.