Chris's Wiki :: blog/sysadmin/LetsEncryptClientWants Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/LetsEncryptClientWants?atomcommentsDWiki2019-05-14T05:08:50ZRecent comments in Chris's Wiki :: blog/sysadmin/LetsEncryptClientWants.From 193.219.181.226 on /blog/sysadmin/LetsEncryptClientWantstag:CSpace:blog/sysadmin/LetsEncryptClientWants:5d2be016d6ea23531ed060335a9fb68c4e83d2caFrom 193.219.181.226<div class="wikitext"><blockquote><p>since it's just a Bash script</p>
</blockquote>
<p>Sorry but that does not inspire any confidence whatsoever in the program.</p>
</div>2019-05-14T05:08:50ZFrom 104.195.201.27 on /blog/sysadmin/LetsEncryptClientWantstag:CSpace:blog/sysadmin/LetsEncryptClientWants:74f8f5fc09966cb3b02b6f02ef12d3f37ca3d6f9From 104.195.201.27<div class="wikitext"><p>Third endorsement for <code>dehydrated</code> (and the <code>dehydrated-apache2</code> Deb package).</p>
<p>Very little magic (which you can inspect since it's just a Bash script), and allows for hooks in various stages. If you want simply, all you have to do is edit the <code>hook.sh</code> file (of which they provide an example) and add a <code>service [webserver] reload</code> line in the <em>deploy_cert()</em> function.</p>
</div>2019-05-13T11:07:55ZBy Albert on /blog/sysadmin/LetsEncryptClientWantstag:CSpace:blog/sysadmin/LetsEncryptClientWants:88d63655d9592d710283f2438cd6be7f9ef4dc2fAlbert<div class="wikitext"><p>In keeping with simple tools, I'm happy with <a href="https://github.com/Neilpang/acme.sh">https://github.com/Neilpang/acme.sh</a>. Simple shell script, supports APIv2 and DNS validation (which is what we use), can be run from cron and in a container as well.</p>
</div>2019-05-13T09:49:32ZBy Tony Finch on /blog/sysadmin/LetsEncryptClientWantstag:CSpace:blog/sysadmin/LetsEncryptClientWants:ea9c14c12c96db8fd0f16c364d38fb1032b3080aTony Finchhttps://dotat.at<div class="wikitext"><p>I like <code>dehydrated</code> too. I wrote a bit about bootstrapping it on Debian a few weeks ago <a href="https://www.dns.cam.ac.uk/news/2019-03-15-lets-encrypt.html">https://www.dns.cam.ac.uk/news/2019-03-15-lets-encrypt.html</a></p>
</div>2019-05-13T07:07:00ZBy Evaryont on /blog/sysadmin/LetsEncryptClientWantstag:CSpace:blog/sysadmin/LetsEncryptClientWants:59036572709e86e2686bac7e84b79a2442973d40Evaryonthttps://evaryont.me<div class="wikitext"><blockquote><p>We can probably duplicate a lot of this by using scripts on top of some other client, such as lego. But I would like us to not need a collection of home-grown scripts (and likely data files) to mimic the simplicity of operation that acmetool provides.</p>
</blockquote>
<p>My tool of choice for lightweight ACME clients has been <a href="https://github.com/lukas2511/dehydrated">dehyrated</a>. Though you'd be right in designing scripts; it's file driven without a CLI to perform those edits for you. I like that, myself, but I also have the various files it heavily templated out via Ansible already.</p>
</div>2019-05-13T04:21:35ZFrom 193.219.181.211 on /blog/sysadmin/LetsEncryptClientWantstag:CSpace:blog/sysadmin/LetsEncryptClientWants:de169622cb115e106d797f77c7666bc4f42e45f1From 193.219.181.211<div class="wikitext"><p>I'm always confused by complaints that certbot "touches all your configs". Sure, it does, <em>if you ask it to</em>. But it has <em>always</em> had <code>certbot certonly --webroot</code> (and before the name change, <code>letsencrypt certonly</code>) that does nothing else but obtain a certificate. The actual config-editing plugins need not even be installed.</p>
<p>I've recently switched back to it from acmetool. You can feel the mass of Python code starting up every time, versus acmetool's fast compiled binary, but besides that it works well.</p>
</div>2019-05-13T03:57:26Z