Why we're going to be using Certbot as our new Let's Encrypt client

July 21, 2019

We need a new Let's Encrypt client to replace acmetool, and I'm on record as not particularly liking Certbot; it lacks some features that are important to us, it's a pretty big program, and it's quite ornate (and there's the issue of the EFF trying to get you to sign up for their mailing list when you register a Let's Encrypt account with an email address). But despite that, Certbot is going to be our future Let's Encrypt client unless we uncover some fatal problem as we finalize how we're going to operate it.

The reason why is very simple; I never want to go through changing clients again, because changing clients is very disruptive and a lot of work. We're forced to change clients now because our previous client of choice has stopped being maintained and hasn't kept up with Let's Encrypt's changes. Certbot is pretty much the closest thing Let's Encrypt has to an official client, so the odds are very good that it will keep up with any Let's Encrypt changes, and probably also any other changes needed to keep working on popular Linuxes such as various versions of Ubuntu LTS.

(Let's Encrypt officially recommends Certbot and has for some time.)

Certbot is not my ideal Let's Encrypt client. But it is a workable client (and we can make it more workable with a cover script), and it's extremely likely to stay that way for as long as we want to use Let's Encrypt. This is good enough to make it my choice.

(On a pragmatic basis, Certbot also seems to be the closest I can get to acmetool in a client that is written in a way that I'm okay with. In particular, as someone who has dealt with OpenSSL and written things in Bash, my view is that I don't think either are the right foundation for a Let's Encrypt client that I want to entrust our systems to. I admire the spirit of aggressive minimalism that makes people write Let's Encrypt clients with little or no dependencies, but that isn't what's important to us.)

Sidebar: I don't regret picking acmetool way back when

Back when I initially picked acmetool, my usage case was different and Certbot was significantly more work and more intrusive to install than it is today. Carrying over using acmetool when we switched to Let's Encrypt was natural, and it worked well. Also, acmetool is a very simple client to use and in the beginning that was important to us because we weren't sold on the benefits of Let's Encrypt; a complex install and operation process wouldn't have been half as attractive, and we might have kept on using manually obtained TLS certificates (especially after we could get free ones through the university's central IT).

In short, acmetool has worked great for years and was the no hassle client we needed at the start. Especially at the time when we started using it, I don't think there was a better alternative for us.

Comments on this page:

I also use acmetool and am planning on sticking with it. I haven't sat down and looked recently, but there was a branch to work with the new api last I checked. Is that not panning out?

By cks at 2019-07-22 16:19:03:

The most recent information I have on acmetool is contained in the links in this entry. Apparently acmetool's support for ACMEv2 is incomplete and not up to date on the latest ACMEv2 changes, and no development appears to be happening.

Argh. So certbot for me too. Dammit.

By Florida P. Mann at 2019-07-23 20:28:13:

You should check out acme-client(1) from OpenBSD... it's great and lightweight.

I love acme-client… and I recently switched away from it. Unless you’re running OpenBSD, it too is abandonware, regrettably.

By James (trs80) at 2019-07-26 11:26:04:

I've been using acme.sh, it works pretty well and has wildcard support.

Written on 21 July 2019.
« Wireless networks have names and thus identify themselves
Why file and directory operations are synchronous in NFS »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 21 22:14:44 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.