I simultaneously both love letsencrypt and also hate it.
Maybe hate is the wrong word, the project’s goals are fantastic.
What I hate is the official software – certbot.
Firstly the way it installs is horrible, under some weird directory structure in your home directory, who in the world generally manages their software like this? What happened to /usr/local or /opt?
Then to actually using the software itself, the command line syntax is very clunky and hard to work out. The documentation is confusing.
Finally, we come to wildcard certificates.
certbot, by its very descriptive name, is a certificate robot, an automated tool for generating certificates. So what did they do for wildcard certificates?
You have to use some clunky command line option to specify an alternative server and then you have to use a manual authenticatation technique using DNS records. It gets better, if you want to secure both ‘*.xciv.org’ and ‘xciv.org’ in one certificate, you get prompted for two different keys, that both sit on the same DNS record. Cue…
1. Run script
2. Edit first DNS record key
3. Reload DNS server
4. Edit second DNS record key
5. Reload DNS server
Every time you renew, you have to do all this again – yes, despite being the automated certificate script there is no way to automate renewals when using DNS authentication – which is mandatory for wildcard certificates.
Now I can forgive the requirement for DNS authentication for wildcard certificates if that has been deemed the safest method, SSL is all about improving security, after all.
What I can’t forgive is this god damn awful piece of software design that passes for the official letsencrypt tool.
Addendum
Since late 2018, after some recommendations, I have since switched to the dehydrated client and this is by far a better solution.
Leave a Reply