I simultaneously both love letsencrypt and also hate it.<\/p>\n
Maybe hate is the wrong word, the project’s goals are fantastic.<\/p>\n
What I hate is the official software – certbot.<\/p>\n
Firstly the way it installs is horrible, under some weird directory structure in your home directory, who in the world generally manages their software like this?\u00a0 What happened to \/usr\/local or \/opt?<\/p>\n
Then to actually using the software itself, the command line syntax is very clunky and hard to work out.\u00a0 The documentation is confusing.<\/p>\n
Finally, we come to wildcard certificates.<\/p>\n
certbot, by its very descriptive name, is a certificate robot, an automated tool for generating certificates.\u00a0 So what did they do for wildcard certificates?<\/p>\n
You have to use some clunky command line option to specify an alternative server and then you have to use a manual authenticatation technique using DNS records.\u00a0 It gets better, if you want to secure both ‘*.xciv.org’ and ‘xciv.org’ in one certificate, you get prompted for two different keys, that both sit on the same DNS record.\u00a0 Cue…<\/p>\n
1. Run script
\n2. Edit first DNS record key
\n3. Reload DNS server
\n4. Edit second DNS record key
\n5. Reload DNS server<\/p>\n
Every time you renew, you have to do all this again – yes, despite being the automated certificate script there is no way to automate renewals when using DNS authentication – which is mandatory for wildcard certificates.<\/p>\n
Now I can forgive the requirement for DNS authentication for wildcard certificates if that has been deemed the safest method, SSL is all about improving security, after all.<\/p>\n
What I can’t forgive is this god damn awful piece of software design that passes for the official letsencrypt tool.<\/p>\n