Wandering Thoughts archives


My views on clients for Lets Encrypt

To use Let's Encrypt, you need a client, as LE certificates are available only through their automated protocol. I can't say I've checked out all the available clients (there are a lot of them), but here are the three that I've actively looked at and explored. I stopped exploring clients after three because these meet my needs and pretty much work the way I want.

The official Let's Encrypt client is, well, the official client. It's big and has many features and can be kind of a pain (or at least slightly scary) to get going, depending on if it's already available as a system package. Its advantage is that it is the official client; it'll probably have the most up to date and complete protocol support, it's pretty much guaranteed to always work (LE isn't going to let their official client be broken for very long), and there are tons of people who are using it and can help you if you run into problems. If you don't really care and just want a single certificate right now, it's probably your easiest option. And it has magic integration with an ever growing collection of web servers and so on, so that it can do things like automatically reload newly-renewed certificates.

The drawback of the official client is that it's big and complicated. One of my major use cases for LE is certificates for test machines and services, where what I just want a cert issued with minimal fuss, bother, flailing around, and software installation. My client of choice for 'just give me a TLS certificate, okay?' cases like this is lego. You turn off the real web server on your test machine (if any), you run lego with a few obvious command line options, and you have a certificate. Done, and done fast. Repeat as needed. As a Go program, the whole thing is a single executable that I can copy around to test machines as required. Lego doesn't really automate certificate renewal, but this is not an issue for test usage.

(You do have to remember to (temporarily) allow HTTP or HTTPS in to your test machine, which is something that I've forgotten a few times.)

My other usage case for LE is as the regular TLS certificates for my personal site. Here I very much wanted a client that had a clear story for how to do automated certificate renewals in an unusual environment with a custom setup, and that I could understand, control, and trust. Perhaps the official client could have done that if I studied it enough, but I felt that it was more focused towards doing 'just trust us' magic in standard setups. The client I settled on for this is Hugo Landau's acmetool, which is refreshingly free of magic. The simple story of how you get automatic certificate renewals and service reloads is that acmetool supports running arbitrary scripts after a certificate has been renewed. Just set up a script that does whatever you need, put an appropriate acmetool command in a once-a-day crontab entry, and you're basically done. One of the reasons that I like acmetool so much is that I think its way of handling the whole process is the correct approach. As its README says, it's intended to work like 'make' (which is a solidly proven model), and I think the whole approach of running arbitrary scripts on certificate renewal is the right non-magic way to handle getting services to notice the renewed certificates.

(Acmetool also has some clever and handy tricks, but that's something for another entry.)

Unsurprisingly, acmetool requires a certain amount of work to set up and configure (unlike lego, which is 'run and done'). But after that, so far it has been something I can completely ignore. I rather look forward to being able to not think about TLS certificate renewal on my personal site at all, instead of having to remember it once a year or so.

(The necessary disclaimer is that it hasn't yet been 60 days since I started using LE and acmetool, so I haven't had it go through the certificate renewal process. If I was more patient, I'd have waited longer to write this entry. But as it is, I think acmetool's fundamental model is sound so I'm fairly confident that everything's going to be fine.)

sysadmin/LetsEncryptMyClients written at 00:35:52; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.