Certbot goes out of its way to be inscrutable about what it’s doing. It munges your web server config (temporarily) to handle http challenges, and for true sysadmins who are used to having to know all the details of what’s going on, that sort of script is a nightmare waiting to happen.

I assume certbot is the client she’s alluding to that misinterprets one of the factors in the protocol as hex vs decimal and somehow things still work, which is incredibly worrisome.

▲ castillar76 2 days ago | parent | next [-]

Having my ACME client munge my webserver configs to obtain a cert was one of the supreme annoyances about using them — it felt severely constraining on how I structured my configs, and even though it’s a blip, I hated the double restart required to fetch a cert (restart with new config, restart with new cert).

Then I discovered the web-root approach people mention here and it made a huge difference. Now I have the HTTP snippet in my server set to serve up ACME challenges from a static directory and push everything else to HTTPS, and the ACME client just needs write permission to that directory. I can dynamically include that snippet in all of the sites my server handles and be done.

If I really felt like it, I could even write a wrapper function so the ACME client doesn’t even need restart permissions on the web-server (for me, probably too much to bother with, but for someone like Rachel perhaps worthwhile).

▲ ndsipa_pomu 2 days ago | parent [-]

A wrapper function may be overkill when you can do something like this:

  letsencrypt renew --non-interactive --post-hook "systemctl reload nginx"

	▲	castillar76 a day ago \| parent [-]
		Oh definitely, but her point was she didn’t want the ACME client having the rights to frob the webserver — I figured that meant restart-rights too. :)

▲ jeroenhd 2 days ago | parent | prev | next [-]

With the HTTP implementation that's true, but the DNS implementation of certbot's certificate request plugins don't touch your server config. As an added bonus, you can use that to also obtain wildcard certificates for your subdomains so different applications can share the same certificate (so you only need one single ACME client).

▲ claudex 2 days ago | parent | prev | next [-]

You can configure certbot to write in a directory directly and it won't touch your web server config.

▲ ndsipa_pomu 2 days ago | parent | prev [-]

> It munges your web server config (temporarily) to handle http challenges

I run it in "webroot" mode on NgINX servers so it's just a matter of including the relevant config file in your HTTP sections (likely before redirecting to HTTPS) so that "/.well-known/acme-challenge/" works correctly. Then when you do run certbot, it can put the challenge file into the webroot and NgINX will automatically serve it. This allows certbot to do its thing without needing to do anything with NgINX.