| ▲ | kijin 2 days ago | |
Certbot has a "standalone" mode that occupies port 80 and serves /.well-known/ by itself. Whoever first recommended using that mode in anything other than some sort of emergency situation needs to be given a firm kick in the butt. Certbot also has a mode that mangles your apache or nginx config files in an attempt to wire up certificates to your virtual hosts. Whoever wrote the nginx integration also needs a butt kick, it's terrible. I've helped a number of people fix their broken servers after certbot mangled their config files. Just because you're on a crusade to encrypt the web doesn't give you a right to mess with other programs' config files, that's not how Unix works! | ||
| ▲ | jofla_net 2 days ago | parent | next [-] | |
Also, whoever decided that service providers were no longer autonomous to determine the expiration times of their own infrastructure's certificates should get that boot-to-the-head as well. It is not as if they couldn't already choose (to buy) such short lifetimes already. Authoritarianism at its finest. | ||
| ▲ | jeltz 2 days ago | parent | prev | next [-] | |
Certbot also fights automation and provisioning with e.g. Andible by modifying config files to remember command line options if you ever need to do anything manually in an emergency. It is a terrible piece of software. I use dehydrated which I'd much friendlier to automation. | ||
| ▲ | tomku 2 days ago | parent | prev [-] | |
Those choices and Certbot strongly encouraging snap installation was enough to get me to switch to https://go-acme.github.io/lego/, which I've been very happy with since. It's very stable and feels like it was built by people who actually operate servers. | ||