The HTMLProofer run during CI is flagging three identrust websites in every build and they appear to be false positives.

It would be nice to fix these so the CI reliability improves to the point where it can be used as a protective flag on the master branch.

- ./_site/2015/10/19/lets-encrypt-is-trusted.html
  *  External link https://identrustssl.com/ failed: response code 0 means something's wrong.
             It's possible libcurl couldn't connect to the server or perhaps the request timed out.
             Sometimes, making too many requests at once also breaks things.
             Either way, the return message (if any) from the server is: Peer certificate cannot be authenticated with given CA certificates
- ./_site/certificates/index.html
  *  External link https://www.identrust.com/certificates/trustid/root-download-x3.html failed: response code 0 means something's wrong.
             It's possible libcurl couldn't connect to the server or perhaps the request timed out.
             Sometimes, making too many requests at once also breaks things.
             Either way, the return message (if any) from the server is: Peer certificate cannot be authenticated with given CA certificates
- ./_site/sponsors/index.html
  *  External link https://www.identrustssl.com/ failed: response code 0 means something's wrong.
             It's possible libcurl couldn't connect to the server or perhaps the request timed out.
             Sometimes, making too many requests at once also breaks things.
             Either way, the return message (if any) from the server is: Peer certificate cannot be authenticated with given CA certificates
rake aborted!

I think there is enough risk that it's worth mentioning.

To help with the internationalization of main pages, images such as https://github.com/letsencrypt/website/blob/master/static/images/howitworks_authorization.png should be svg, so they can easily be translated

(Additionally, to follow the open-source pledge, ideally all pictures should be accompanied by their sources - a problem partially solved by svg)

Images containing texts:

• Explaining something:

  • https://github.com/letsencrypt/website/blob/master/static/images/howitworks_authorization.png
  • https://github.com/letsencrypt/website/blob/master/static/images/howitworks_certificate.png
  • https://github.com/letsencrypt/website/blob/master/static/images/howitworks_challenge.png
  • https://github.com/letsencrypt/website/blob/master/static/images/howitworks_revocation.png

• Describing:

  • https://github.com/letsencrypt/website/blob/master/static/images/isrg-keys.png
  • https://github.com/letsencrypt/website/blob/master/static/images/le-firefox-chain-of-trust.png

• Graphs:

  • https://github.com/letsencrypt/website/blob/master/static/images/2017.06.28-https-percentage.png
  • https://github.com/letsencrypt/website/blob/master/static/images/HTTPS-Growth-Rate-April-2016.png
  • https://github.com/letsencrypt/website/blob/master/static/images/HTTPS-Growth-Rate-March-2016.png
  • https://github.com/letsencrypt/website/blob/master/static/images/Issuance-April-10-2016.png
  • https://github.com/letsencrypt/website/blob/master/static/images/Jan-6-2017-Cert-Stats.png
  • https://github.com/letsencrypt/website/blob/master/static/images/le-certs-issued-june-22-2016.png

• Paypal: https://github.com/letsencrypt/website/blob/master/static/images/paypal_donate.gif
  That one is should probably stays a gif, and PayPal probably have it in any languages possible. On https://www.paypal.com/us/cgi-bin/webscr?cmd=_button-designer&factory_type=donate it's possible to see all versions with the "customize" link.

https://twitter.com/SwiftOnSecurity/status/1007369383243599872

There's an outdated reference to the CABF ballot 214. The current page text says:

That erratum still needs to be voted in by the CA/Browser Forum by September 8 for it to to take effect for publicly trusted CAs.

Thanks to alanhuang in #letsencrypt on Freenode for pointing this out.

These two URLs (maybe more) have CSS where there meta twitter:description should be:

https://letsencrypt.org/documents/isrg-cp-v2.1/
https://letsencrypt.org/documents/isrg-cps-v2.1/

<meta name="twitter:description" content=".markdown-preview:not([data-use-github-style]) { padding: 2em; font-size: 1.2em; color: rgb(171, 178, 191); background-color: rgb(40, 44, 52); overflow: auto; } .markdown-preview:not([data-use-github-style])  :first-child { margin-top: 0px; } .markdown-preview:not([data-use-github-style]) h1, .markdown-preview:not([data-use-github-style]) h2, .markdown-preview:not([data-use-github-style]) h3, .markdown-preview:not([data-use-github-style]) h4, .markdown-preview:not([data-use-github-style]) h5, .markdown-preview:not([data-use-github-style]) h6 { line-height: 1.2; margin-top: 1.5em; margin-bottom: 0.5em; color: rgb(255, 255, 255); } .markdown-preview:not([data-use-github-style]) h1 { font-size: 2.4em; font-weight: 300; } .markdown-preview:not([data-use-github-style]) h2 { font-size: 1.8em; font-weight: 400; } .markdown-preview:not([data-use-github-style]) h3 { font-size: 1.5em; font-weight: 500; } .">
--
  | <meta name="twitter:image:src" content="https://letsencrypt.org/images/le-logo-twitter.png">

Hi,

I love to make donations for some interested projects.
I wanted to make donation to you but you have only Paypal type. I hate this company.
Can you add subj?

P.S. If you need help - you can ask me

An individual in #letsencrypt IRC mentioned they had a lot of trouble finding out how long Let's Encrypt certificates are valid for looking at our website. They expressed an expectation to find it as a FAQ item.

I scanned through the website myself and also didn't find that information very easily. One of the only places we explicitly mention 90 days is on an older blog post.

Perhaps this could also be addressed as part of the explainer asked for by #59 or by adding it to the FAQ.

• Path: /about/ (About in French: à propos) becomes /fr/about/ or /fr/a-propos ?
• What should be the path for images? ( #314 )
• What is missing to merge #246/#274 (Czech) and #313 (French)? What are the minimal requirements for a first pull-request for a new language?
• trademarks.md and privacy.md: should they stay in English, or starts with a warning - in English and in the current language - such as "This version is not binding, only the English version is"

Instead of hardcoding the sponsor list you could use data files where you add the sponsors with all properties and just parse this data file in the index.html.

BTW: Why has Google (as the only sponsor) the "nofollow" tag? 😄

Are there any plans to enable i18n on LE website? I see i18n folder in the repo but it looks like it isn't ready for translations yet. I would be happy to contribute with Czech localization. :)

Could you please add your license to your repo?

I see that you have losslessly compressed the PNG images here compared to the current website. However, they could still be compressed further to save about 50K on the start page. Happy to fork and submit a pull request for you but wasn't quite sure if this was the correct repo.

Alternately, you can use the Linux Trimage compressor and do it yourselves.

It frequently fails spuriously due to temporary outages of linked-to sites, and also has a moderate maintenance burden (for instance, right now there is a problem with the certifi package).

Currently we have a FAQ at https://letsencrypt.org/docs/faq/ and https://community.letsencrypt.org/t/frequently-asked-questions-faq/26. We should combine them and point one at the other.

The RSS Feed (https://letsencrypt.org/feed.xml) is broken. Maybe a double-encoding issue!?

The page about the staging environment states the following:

If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate from the certificates page to your testing trust store.

However, the certificates page does not mention the staging environment at all, so there aren't any links to certificates of the staging environment there. So the above statement isn't presently correct :)

I know you are all about automation, but we should still not forget the humans... 😉

So what about adding a humans.txt?

What about using http://jch.penibelst.de/ to compress the HTML code or - at least - prettify it as Jekyll often adds some ugly empty lines.

I wanted to start a conversation about changing our section headings. Right now we have:

Blog, Technology, Contribute, Support, About

I think "blog" doesn't need to be a top-level heading, since we list recent posts and link to the full listing on the homepage. So the homepage is effectively the blog.

"Technology" isn't very enticing to click, and it's not clear to me what's behind it.

"Contribute" and "Support" are confusing next to each other, since they are both verbs that mean roughly the same thing. Of course, the latter is intended to mean something like "Get Support."

I don't have a 100% answer of where everything should go, but to get the ball rolling, what do you think of:

Documentation, Community, Donate, About

The How It Works page mentions the signing of nonces:

"Along with the challenges, the Let's Encrypt CA also provides a nonce that the agent must sign with its private key pair to prove that it controls the key pair."

and

"The agent also signs the provided nonce with its private key."

Today, somebody with interest in the ACME protocol, read the How It Works page and didn't understand this signing of the nonce.. It was unclear if this "nonce" was some kind of temporary certificate used as proof for the control of the private key or something else.

So I tried to figure out the role of this "nonce" in the current ACME specs. Besides the obvious replay protection nonce, I did not came across another use of something called "nonce" which could be directly signed by the private key (where I assume the private key corresponding to the public/private keypair of the certificate).

The reason for this issue is either one of the following purposes:

• To suggest editing the part of the nonce, so it becomes more clear to the readers what it is and does;
• To remove the part about the nonce altogether if it is a remnant of an old ACME draft currently not used any more*.

*: The first draft does mention the signing of a nonce directly for "Proof of posession of a prior key", but not for regular challenges.

This information is central to our mission and a page laying out our argument will be a helpful resource in multiple communications contexts.

libxml2's xmllint reports quite a few parsing errors for https://letsencrypt.org/feed.xml:

-:84: parser error : Specification mandates value for attribute allowfullscreen
https://www.youtube.com/embed/gNJUpzNNWMw?rel=0" frameborder="0" allowfullscreen
                                                                               ^
-:184: parser error : Entity 'ldquo' not defined
<p>&ldquo;Over a year ago, when Let’s Encrypt came out of beta, it was an obvi
          ^
-:184: parser error : Entity 'rdquo' not defined
to support this new certificate authority, and become a Platinum sponsor,&rdquo;
                                                                               ^
-:184: parser error : Entity 'ldquo' not defined
a Platinum sponsor,&rdquo; said Octave Klaba, Founder, CTO and Chairman. &ldquo;
                                                                               ^
-:184: parser error : Entity 'rdquo' not defined
illion certificates were created for our customers during the first year.&rdquo;
                                                                               ^
-:190: parser error : Entity 'ldquo' not defined
<p>&ldquo;We then wanted to go one step further,&rdquo; continues Octave Klaba. 
          ^
-:190: parser error : Entity 'rdquo' not defined
<p>&ldquo;We then wanted to go one step further,&rdquo; continues Octave Klaba. 
                                                       ^
-:190: parser error : Entity 'ldquo' not defined
uo;We then wanted to go one step further,&rdquo; continues Octave Klaba. &ldquo;
                                                                               ^
-:190: parser error : Entity 'rdquo' not defined
secure and reliable. This service is now available to everyone, for free.&rdquo;
                                                                               ^

I guess wrapping HTML descriptions in <![CDATA[]]> or escaping special characters can fix the issue

https://github.com/letsencrypt/website/blob/master/content/en/certificates.md#more-info ( https://letsencrypt.org/certificates/#more-info )

All ISRG keys are currently RSA keys. We are planning to generate ECDSA keys in March 2018.

Instead of Q3 2018 according to https://letsencrypt.org/upcoming-features/

ECDSA Root and Intermediates

• ETA: Q3 2018

Both PR #298 and #287 were closed, I think by mistake.

The font currently used works perfectly well for English, but lacks basics characters for others Latin based languages:

I was told that the currently used font "Open Sans" exists in "Latin Extended"

Can we imagine to have a doc part on site? Official doc, like the MDN. Not only forum (even it's extracted from forum).

For example, for a big noob. I was not able to create a certificate, put it on my heroku hosting and my domain name provider. So I used an heroku add-on. It was really really easy and fast, but it's "expensive".

Please experts, help us to understand and teach us

SecurityHeaders.IO score for letsencrypt.org: F.

Missing security headers:

1. Strict-Transport-Security
2. Content-Security-Policy
3. Public-Key-Pins
4. X-XSS-Protection
5. X-Content-Type-Options
6. Referrer-Policy

Right now if you visit letsencrypt.org, there's a "Get started" link. But this has two problems: 1) The link color is very similar to the text color, so it's not obvious it's a link. 2) It's not emphasized as the main action to take. We've gotten some feedback on the forum over time that the website doesn't make it clear how to get a Let's Encrypt certificate, which I think is in part because the Get Started link is under-emphasized.

@bdaehlie, what do you think of styling this as a button instead? Or perhaps changing the link color and giving it a solid-color background?

The https cert use in https://acme-v01.api.letsencrypt.org/directory have the same problems that wildcard certificate encoding issue (https://community.letsencrypt.org/t/2018-03-12-wildcard-certificate-encoding-issue/55485).

Just see in there: https://crt.sh/?id=8373036&opt=cablint,x509lint

Despite of this encoding issue, isn't an problem to Chrome, Firefox or other browsers.

Sponsor and Donor logos have a white background, which clashes with the #fdfdfd body background. The following GIF shows the Sponsor/Donor region with and without the default background color:

To use our new stats dashboard with Mozilla's dashboard system, we need to permit embedding for the /stats-dashboard page as noted by Moz here: mozilla/moz-corsica#75 (comment)

This should be an ngnix config change such as replacing the existing

add_header X-Frame-Options DENY;

with:

    location ~ ^/(?!(stats-dashboard|stats-dashboard/)) {
       add_header X-Frame-Options DENY;
    }

That applies the DENY policy to everything except the stats-dashboard.

Note that location of this directive matters, as only one location directive can match a given request, so if there are existing location directives in the config, you should reach out to me to work out a merge.

Most reports to security@ involve someone saying that Let's Encrypt didn't reach out to their web server before creating a certificate. Authorization caching is why they are seeing this behavior, but it's not documented anywhere on our website.

I'd like us to create a new documentation page explaining authorization caching.

Refused to load the image 'https://www.google.fr/ads/user-lists/872454614/?random=1527757451843&cv=9&fst=1527757200000&num=1&bg=ffffff&guid=ON&u_h=1080&u_w=1920&u_ah=1023&u_aw=1920&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=4&u_nmime=5&data=event%3Dgtag.config&gtm=u5o&sendb=1&frm=0&url=https%3A%2F%2Fletsencrypt.org%2F&tiba=Let%27s%20Encrypt%20-%20Free%20SSL%2FTLS%20Certificates&async=1&fmt=3&cdct=2&is_vtc=1&random=122975385&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y' because it violates the following Content Security Policy directive: "img-src https://letsencrypt.org https://www.google-analytics.com https://www.paypal.com https://www.paypalobjects.com https://ak2s.abmr.net https://ak1s.abmr.net https://www.google.com".

On Version 66.0.3359.181 (Official Build) (64-bit), Debian

Related to #63 ?

Per #61 (comment) and #61 (comment), the stats.md can be made to load async and to be more responsive. If someone with more JS experience wants to tackle that, go right ahead!

I am finishing up development of an ACME Client for the 4th Dimension (4D) programming language/environemnt and was curious, if i were to add it to this list via a pull request -

Where should i list "4D" or "4th Dimension" - would an environment beginning with the number "4" be above "Bash" (numbers before A) or below "Windows" (numbers after Z) ?

Please do not mark as duplicate of #277, #230 or another because they are closed and the problem is still present.

Here is a picture of the feed in a RSS reader right now:

And here is how it looked last year:

Considering what the engine is capable of ( http://spf13.com/project/index.xml ) this should be easy to fix.
You might try replacing https://github.com/letsencrypt/website/blob/master/layouts/_default/rss.xml with:

<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>{{ if eq  .Title  .Site.Title }}{{ .Site.Title }}{{ else }}{{ with .Title }}{{.}} on {{ end }}{{ .Site.Title }}{{ end }}</title>
    <link>{{ .Permalink }}</link>
    <description>{{ .Site.Params.description | htmlEscape }}</description>
    <generator>Hugo v{{ .Hugo.Version }}</generator>{{ with .Site.LanguageCode }}
    <language>{{.}}</language>{{end}}
    <lastBuildDate>{{ .PubDate.Format .Site.Params.time_format_RFC822 | safeHTML }}</lastBuildDate>{{ end }}
    {{ with .OutputFormats.Get "RSS" }}
        {{ printf "<atom:link href=%q rel=\"self\" type=%q />" .Permalink .MediaType | safeHTML }}
    {{ end }}
    {{ $posts := where .Site.RegularPages "Type" "in" (slice "post") | first 10 }}
    {{ range $posts }}
    <item>
      <title>{{ .Title }}</title>

      <link>{{ .Permalink }}</link>
      <pubDate>{{ .PubDate.Format .Site.Params.time_format_RFC822 | safeHTML }}</pubDate>
        <guid isPermaLink="true">{{ .Permalink }}</guid>
      <description>{{ .Summary | html }}</description>
    </item>
    {{ end }}
  </channel>
</rss>

Based on what I read in the docs https://gohugo.io/templates/rss/ and see if all the problems are fixed or will need more work to fix the rest of the validation errors reported here: https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fletsencrypt.org%2Ffeed.xml

Right now we only support English. We'd like to support translated versions of some pages. Probably the best way to do this is to provide alternate URLs under each language code, e.g.:

https://letsencrypt.org/docs/rate-limits/
https://letsencrypt.org/kr/docs/rate-limits/

With a drop-down offering various languages. As an alternate, while we are getting our first few translations in, we may want to skip the drop-down in favor of having a language select at the top of specific pages that have translations. E.g. "This page is available in: English | Korean | Japanese"

The Looking Forward to 2018 post says:

First, we’re planning to introduce an ACME v2 protocol API endpoint and support for wildcard certificates along with it. ... We are planning to have a public test API endpoint up by January 4, and we’ve set a date for the full launch: Tuesday, February 27.

The older ACME v2 API Endpoint Coming January 2018 and Wildcard Certificates Coming January 2018 posts should perhaps be updated with the specific timeline. People might still be finding links to the old posts, and expecting a full launch of wildcard certificates on January 1.

I have heard a few complaints recently that our website doesn't give people enough of a basic summary about what we actually do/offer. In other words, we presume too much about what we think people already know coming in.

The people who mentioned this to me seemed to think that a more basic explanation is needed at the beginning of the Getting Started page. That seems right to me. We should try to give a better basic explanation of what we offer at the beginning of that page, without letting it get too long. Maybe a single paragraph, 3-5 sentences, would be ideal.

https://helloworld.letsencrypt.org/

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Expired at 29th May 2016 18:45

We encountered a problem with our certificate for www.samba.org (https://crt.sh/?id=45037611) today. All our web server certificates have the must-staple feature enabled and we need to get a valid reply from the OCSP server in order for the certificate to be valid for Firefox. The above mentioned certificate is the only one which is broken. All other RSA and ECDSA certs get valid OCSP responses for us. Also this certificate used to work until today.

I will attach the network sniff of a failing manual ocsp request made with openssl 1.0.1t using:

openssl ocsp -noverify -no_nonce -respout ocsp.resp -reqout ocsp.req -issuer chain.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org/ -header "HOST" ocsp.int-x3.letsencrypt.org
ocsp-letsencrypt-fail.pcap.gz

Why are not logos of sponsors on homepage in SVG, but in PNG, sometimes even without transparency?

Let’s Encrypt Privacy Policy states in the Visitor section that:

(...) Additionally, we may use third-party analytics services like Google Analytics to gauge traffic and popular pages on our web site. Third party analytics services will set and receive first-party cookies. These cookies do not contain personal information, but uniquely identify your browser software over time on our site. We respect the Do Not Track header by strictly limiting the information our analytics services can collect and share for all Visitors.

However, Google is not listed in the companies which "are taking steps to honor Do Not Track".

I wanted to subscribe to the rss letsencrypt feed, but it's not valid, neither firefox nor my feed reader can read it.

More information at https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fletsencrypt.org%2Ffeed.xml#l21

Clicking just to the left of "Get Started" (which I accidentally did somehow) brings you to http://example.com/your-link

That's not a thing :)

The tls cert for https://helloworld.letsencrypt.org has expired

How to reproduce:

1. go to https://letsencrypt.org/
2. open the link "Get Started" in a new tab (depending on OS and browser, e.g. with ctrl+click or cmd + click or right-click + "Open Link in a New Tab")

Expected Outcome:

A. the Getting Started page should open in a new tab
B. the Home Page should remain open in the parent tab

Actual Outcome:

A. the Getting Started page does open in a new tab
C. the Home Page is replaced with http://example.com/your-link

The main navigation menu is not keyboard accessible, i.e. sub-menus do not open except on a mouse hover event. Suggest developing to respond to keyboard events properly, and use ARIA menu roles and states to ensure full accessibility.

Once #61 merges, the Content Security Policy can have the plot.ly entries removed.

Further, the Google Analytics code can be relocated out of the main templates into main.js to permit removal of the unsafe-inline CSP script source.