Switching Let's Encrypt clients is currently quite disruptive
On Twitter, I said:
At the moment, changing between Let's Encrypt clients appears to be about as disruptive as changing to or from Let's Encrypt and another CA. Certificate paths change, software must be uninstalled and installed, operational practices revised, and nothing can be moved over easily.
I didn't mention that you are probably going to have to get reissued certificates unless you like doing a lot of work, but that's true too. Let's Encrypt makes this easy, but some people may run into rate limits here.
This is on my mind because we're replacing
acmetool with something
else (almost certainly Certbot for reasons beyond the scope of this
entry), so I've been thinking about the mechanics of the switch.
Unfortunately there are a lot of them. Acmetool and Certbot do
almost everything differently; they put their certificates in
different places, they have different command lines and setup
procedures, and Certbot needs special
handling during some system installs that
So to transition a machine we're going to have to install Certbot
(or whatever client), install our Certbot customizations (we need
at least a hook script or two), uninstall
acmetool to remove its
cron job and Apache configuration snippet, set up the Apache
configuration snippet that Certbot needs, register a new account,
request certificates, and then update the configuration of all of
our TLS-using programs to the new certificate locations. Then the
setup instructions for the machine need to be revised to perform
the Certbot install and setup instead of the current
one. We get to repeat this for every system we have that uses Let's
Encrypt. All of this requires manual work; it's not something we
can really automate in a sensible amount of time
(at least not safely, cf).
(Then when we need new TLS certificates we'll have to use different commands to get them, and if we run into rate limits we'll have to use different ways to deal with the situation.)
There are multiple causes for this. One of them is simply that clients are different, with different command lines (and Certbot has some very ornate ones, which we'll almost certainly fix with a cover script that provides our standard local options). But a big one is that clients have not standardized even where and how they store data about certificates and Let's Encrypt accounts, much less anything more. As a result, for example, as far as I know there's no official way to import current certificates and accounts into Certbot, or extract them out afterward. Your Let's Encrypt client, whatever it is, is likely to be a hermetically sealed world that assumes you're starting from scratch and you'll never want to leave.
(It would be nice if future clients could use Certbot's
directory structure for storing your TLS certificates and keys. At
least then switching clients wouldn't require updating all of the
TLS certificate paths in configuration files for things like Apache,
Exim, and Dovecot.)