What do /g/entlemen think of Let's Encrypt?(https://letsencrypt.org/)
>>51718540
>wonky scripts ran as root that tweak your nginx/apache configs
I don't know man...
>>51718596
>I rather have the NSA getting all data that is send to and from my server
nice meme, m9 :^)
>>51718674
How exactly did you construe that from what I've written?
The scripts are awful, but the will to give ssl encryption to everyone is great. I fully support it. It's just that I would advice against using their scripts. I believe there's already an alternative scripts being written.
>>51718596
You aren't required to use their script. There are many alternatives that don't run as root
https://github.com/diafygi/acme-tiny
>>51718596
Can't you just generate the config in an other file and copy the crap you need over to your actual config?
>>51718596
It has a standalone/certonly mode that doesn't do anything besides validating your domain
bloated.
no wildcard subdomains.
5 requests per domain every 7 days, this killed it for me for now.
I added some subdomains and now I'm locked out.
the idea behind that is great, but they desperately need wildcards.
>>51720710
That would create issues with dns sites like afraid.org where a subdomain is put up publicly for people to make subdomains on though. The owner of the cert wouldn't be running the subdomain's site.
>>51720756
I know, but such domains are already marked as public, right?
So they could just check that.
>>51720801
You can publish, remove and republish your domain on it at will. So no...
>>51720859
hence why it's put on the public domain list and banned from getting subdomain certificates.
>>51718596
you don't need to use the official client, you can use a variety of alternative clients or just set it up manually
Free HTTPS certificates without having to trust the letsencrypt cli with sudo/root
https://github.com/diafygi/letsencrypt-nosudo
Let's Encrypt client and ACME library written in Go (WIP)
https://github.com/xenolf/lego
A tiny script to issue and renew TLS certs from Let's Encrypt (~200 line python script)
https://github.com/diafygi/acme-tiny/
Simple Let's Encrypt client. (crontab friendly)
https://github.com/kuba/simp_le
And this...
A Let's Encrypt web client
https://gethttpsforfree.com/
>>51720710
It's not bloated and wildcard certs are being considered.
>>51720979
>it's not bloated
>need to run python in a virtual environment on a production webserver as root
I'm glad alternative clients exist that are much more simple.
>>51721021
is the root part going to make the official lets encrypt client an Achilles heel?
>>51721050
maybe it's just a personal preference, but I really don't like to run arbitrary scripts as root that I didn't write myself that have the purpose of changing my webserver configs.
If it runs on a different machine, fine, I don't care.
Still the client needs a lot of work.
I want 3 independent certificates, and (doing this in a loop for every domain) everytime the virtual environment checks for updates, which takes quite a while.
They might fix all this after the beta, we'll see.
>>51719793
Or just generate a key and receive a certificate for it. Looks like >>51718596 read about the extra convenience features of the official script and didn't stop to think if they were optional or not.
>>51721130
The official client is mostly for reference and convenience for people who don't know what they're doing. If you don't require your client to install packages and set up your webserver for you, you shouldn't be using the official client at all, much less complaining about it.
If the official client doesn't fit your needs, don't use it. There are many alternatives that you're expected to use if they work better for you.
>>51718540
The official client is shit, but the general concept is brilliant and there are plenty of other clients.
I'm waiting for ECDSA secp256r1 or EdDSA Ed25519 support to actually roll it out, which is coming later next year. Then it's going on my live servers.
>>51721280
I've been reading the forum quite a lot lately and I'm amazed how many people manage servers and have no idea what they are doing.
I'm not sure I like them catering mostly to people who just can't read the documentation.
>>51722581
>I'm not sure I like them catering mostly to people who just can't read the documentation.
It's called catering to the majority.
The competent people don't need to be catered to. They can handle things themselves.
