__letsencrypt_cert rewrite and subtypes, analyse phase #57
Labels
No Label
bugfix
cleanup
discussion
documentation
doing
done
feature
improvement
packaging
Stale
testing
TODO
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: ungleich-public/cdist#57
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
facts: currently
__letsencrypt_cert
is a mess and there are many acme clients.idea:
__letsencrypt_cert
should have subtypes for every client with common interface.clients we should support:
__acme_certbot
__acme_sh
__acme_dehydrated
__acme_cdist
parameters we need:
--mail <mail-addr>
--domain <domain-name>
(multiple)--type <certbot|acme|dehydrated>
(default:certbot
)--validation <http-01:webroot=/var/www|what-ever:foo-bar>
--webroot(-path)? <path-to-webroot>
(shorthand for--validation http-01:webroot=/path/to/webroot
etc)--extra-args <args>
(multiple, pass more specific options to the backend)--webroot
or--validation
must be set, because we need validation method.not sure:
--key-path
(optional, default is/etc/ssl/private/
? not needed by certbot in some cases)--cert-path
(optional, default is/etc/ssl/certs/
? not needed by certbot in some cases)--pre-renewal-hook
(optional, multiple)--deploy-renewal-hook
(optional, multiple)--post-renewal-hook
(optional, multiple)--server
(optional, which server to use, staging or any other acme compatible server)--automatic-renewal
(boolean, not needed with some distros/clients)--standalone
(boolean, spawns built-in httpd for challange)if subtype doesn't support hook, then always throw
exit 1
?some clients doesn't have hooks, so we have to work round that. definitely pre and post hooks are needed, not sure about deploy.
what else? discuss, propose better parameter names etc.
I agree with
--type
defaulting tocertbot
. I guess that's what most users would expect.Users who want a different backend, can just use the
--type
parameter.Not sure about the
--webroot
.--validation http-01:webroot=/var/www
?Maybe
--validation
should default to standalone mode, what do you think?I'm starting to get annoyed by this, bit me again today -
__letsencrypt_cert
is somewhat broken and needs to be fixed.I'll do some priority ordering...
mentioned in merge request !873
changed the description
changed the description
changed the description
changed the description
changed the description
shortest possible working type should be something like this:
now, how we decide which backend? we don't want too complex heuristics for that.
or maybe just set
certbot
as default for--type
and call it a day. it's official client anyway :)changed the description
changed the description
changed the description
changed the description
changed the description
changed the description
changed the description
For us, support for different challenge types, i.e. DNS validation, would be really useful since we use Let's Encrypt certificates also for non-internet facing machines.
Moreover, DNS validation is required for wildcard certificates.
What do you think about having a
--validation
parameter that would accept a type and parameters for it?e.g.:
--validation http-01:webroot=/var/www
--validation dns-01:add-script=/etc/getssl/scripts/dns-add.sh,del-script=/etc/getssl/scripts/dns-del.sh
--validation alpn-01:dir=/srv/acme
A
--type
parameter should be available to select a "backend".I'm not sure about the
--standalone
parameter as not all ACME clients support a standalone mode.How about adding an
extra-args
parameter to pass more specific options to the backend?what do we win if we have type with subtypes?
how do we decide in main type which subtype to use?
what's default fallback?
changed the description