Bear in mind that this is just one man's fantasy for what he believes would make for a saner world...
I feel that certbot's usage has become overly convoluted. Perhaps taking on a little RISC might help.
Hear me out completely, please, before commenting. The following represents what would be beyond the handbook I am still drafting as information becomes firm.
For starters... get rid of:
run
-
--keep
,--keep-until-expiring
--expand
--duplicate
- Rename
certonly
toacquire
- Rename
--dry-run
to--test
- Add a
clear
function to clear all settings for a certificate without erasing the certificates and keys - Add a
backup
function to backup everything to a single file (outside the certbot directory structure) - Add a
restore
function to restore everything from a single file (outside the certbot directory structure) - Add a 'sweep' function that sweeps everything (basically clears the entire ceftbot directory structure)
Mandate strict syntax:
certbot clear certname
certbot acquire certname authenticator "domain,name,list"
certbot install certname installer
certbot backup file
certbot restore file
Make certain that all used settings are saved. This includes those used for install
.
Make --keep-until-expiring
the default functionality that can only be overridden by --force-renewal
.
Ensure that renew
is coded internally to use acquire
and install
with the saved settings in exactly the same fashion as would be expected on the command line.
Definitively demarcate acquisition
versus installation
outputs in the logs.
The benefits of completely segregating the acquisition and installation processes are many. Here are but a few:
- drastically reduced acquisition of duplicate certificates
- surety that acquisition has succeeded when incrementally executing/debugging
- clear distinction between usage of authenticators and installers