[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#26685] certbot service experience
From: |
Christopher Allan Webber |
Subject: |
[bug#26685] certbot service experience |
Date: |
Tue, 24 Oct 2017 10:25:09 -0500 |
User-agent: |
mu4e 0.9.18; emacs 25.3.1 |
Leo Famulari writes:
> On Thu, Jul 27, 2017 at 07:30:48PM +0200, Tobias Geerinckx-Rice wrote:
>> If nobody objects, I'd like a few days to play with this before it gets
>> merged. It's a fine service, but I think it privileges the ‘--webroot’
>> plugin too much (‘-w’ is a plugin-specific option, not global). I'd
>> rather not have my mail box spin up nginx...
>
> I agree that we should, in the long run, offer a more generalized ACME
> client service.
>
> However, the --webroot method is not specific to any of the other
> plugins. Instead, it is a general purpose method of obtaining and
> renewing signed x509 certificates with a running webserver. Certbot
> requires no server-specific configuration with this method, and the
> server only needs to be configured to serve a particular directory which
> will contain the temporary cryptographic "challenge" file. It's not a
> very tight coupling.
>
> Since serving HTTPS is, in practice, one of the primary use cases for
> the x509 CA system (as opposed to self-signed certs), I think we should
> add the service as-is and let people generalize it as they see fit later
> on.
Sounds like the right approach to me.
I'll add a note about the service configuration possibly being unstable
to the docs and push this today. I just did a rebase on my end.