Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
adontz 3 days ago

certbot has an plugin for nginx, so I'm not sure why people think is was hard to use LetsEncrypt with nginx.

bityard 2 days ago | parent | next [-]

Maybe it's better these days, but even as an experienced systems administrator, I found certbot _incredibly_ annoying to use in practice. They tried to make it easy and general-purpose for beginners to web hosting, but they did it with a lot of magic that does Weird Stuff to your host and server configuration. It probably works great if you're in an environment where you just install things via tarball, edit your config files with Nano, and then rarely ever touch the whole setup again.

But if you're someone who needs tight control over the host configuration (managed via Ansible, etc) because you need to comply with security standards, or have the whole setup reproducible for disaster recovery, etc, then solutions like acme.sh or LEGO are far smaller, just as easy to configure, and in general will not surprise you.

creshal 2 days ago | parent | prev | next [-]

Certbot is a giant swiss army chainsaw that can do everything middlingly well, if you don't mind vibecoding your encryption intrastructure. But a clean solution it usually isn't.

(That said, I'm not too thrilled by this implementation. How are renewals and revocations handled, and how can the processes be debugged? I hope the docs get updated soon.)

jeroenhd 2 days ago | parent [-]

Certbot always worked fine for me. It autodetects just about everything and takes care of just about everything, unless you manually instruct it what to do (i.e. re-use a specific CSR) and then it does what you tell it to do.

It's not exactly an Ansible/Kubernetes-ready solution, but if you use those tools you already know a tool that solves your problem anyway.

jddj 2 days ago | parent | prev | next [-]

From the seeming consensus I was dreading setting let's encrypt up on nginx, until I did it and it was and has been... Completely straightforward and painless.

Maybe if you step off the happy path it gets hairy, but I found the default certbot flow to be easy.

orblivion 3 days ago | parent | prev | next [-]

From a quick look it seems like a command you use to reconfigure nginx? And that's separate from auto-renewing the cert, right?

Maybe not hard, but Caddy seems like even less to think about.

orblivion 2 days ago | parent [-]

I guess I should compare to this new Nginx feature rather than Caddy. It seems like the benefit of this feature is that you don't have a tool to run, you have a config to put into place. So it's easier to deploy again if you move servers, and you don't have to think about making sure certbot is doing renewals.

9dev 2 days ago | parent | prev | next [-]

Certbot is a utility that can only be installed via snap. That crap won’t make it to our servers, and many other people view it the same way I do.

So this change is most welcome.

orblivion 2 days ago | parent | next [-]

That doesn't sound right to me. It's been in Debian and Ubuntu for a while:

* https://packages.debian.org/bullseye/certbot

* https://packages.ubuntu.com/jammy/certbot

9dev 2 days ago | parent [-]

Last I was concerned with, this was the situation:

https://github.com/certbot/certbot/issues/8345#issuecomment-...

That’s been three years though. The EFF/Certbot team has lost so much goodwill with me over that, I won’t go back.

adontz 2 days ago | parent | prev [-]

It's a Python package you can install with pip, never ever installed it with Snap

vivzkestrel 2 days ago | parent | prev [-]

absolute nightmare to get this to work inside docker compose dude. Nobody has documented a decent working solution for this yet. Too many quirks and third parties like nginx-proxy-manager or nginx-proxy/nginx-proxy on github make it even more terrible