I am hosting my own servers. Until now I was getting my certificates from CAcert, but they are broke.
I need certificates for various servers (8 of them) within at least two domains. As these certificates have to be installed manually (no standard intallation) I wish I could simply send the csr and get the crt back… Any means or is it mandatory to use an ACME client ?
Best regards,
G. H.
My domain is: multiple
I ran this command:
It produced this output:
My web server is (include version):Apache 2, mail server exim 4
The operating system my web server runs on is (include version):Debian Linux, from Wheezy to Buster
My hosting provider, if applicable, is:myself
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Yes, it is mandatory to use an ACME client. But why do the certs have to be installed manually? There's nothing about Debian, Apache, or Exim that mandates a manual installation--I'd bet millions of users have automatic issuance and renewal working in that environment.
Edit: But if you want the old-school "send a CSR and get a cert" experience, you can use this site to get your Let's Encrypt cert:
Like all Let's Encrypt certs, though, it will only be valid for 90 days, at which time you'll need to go through the same process to renew. Or get automatic issuance and renewal set up.
Not a non-sense I suppose. I started as a sysadm and developer about 40 years ago when a mere computer was as big as a room.
Load of machine and assembler coding then. And worked on some pieces of security code that are still in use, I guess
Now, automation is good as far as it is mastered. When the automated process starts doing things you are not aware of, this is bad automation, or name it bad practice.
Things can be successfully automated, of course. Like for people « running a web server » without having the smallest idea of what’s going behind the scene.
I am not saying this is not a « good thing » to automate for non-technical ppl.
But, it must be possible to do things manually, in control, for ppl who know what they are doing.
Like, having servers (single FQDN) certificates on machines with no port 80 fully opened to the Wild & Evil Internet…
Only very, very basic barebone security, see ?
I remember the very first days when the Arpanet became the Internet and went public…
Everybody was extremely proud to have an email address, then. Things of the past of course.
