My1, Yes, of course you are correct. Thank you for the correction. I presume, since this is the only point that you corrected, that all the rest of my statements are true. This is good, because I did want to be helpful.
well in ideal cases the sentences from the same post are not wrong but the problem is "do you really want to run a script that can automatically mess with your certs and (depending on configuration) mess with your server?"
I personally dont really want that, especially not on a public facing server. I rather have my own CA (greetings from DANE) on a seperate server (say,a raspi) whi gets a CSR, then it signs the CSR and then push the cert back to the server which then does its stuff itself. there wont be any need for sucha long script that needs sudo but only the sudo will be needed to push back the cert and restart/erload the server, and since all of it is shorter it will be easier to check the code.
Yeah, that works for internal devices.
But as for all my "other" setups, they are outside my network.
That would require me to open up their web-config to the Internet, and that I see as a larger security issue than the self signed cert. (Yeah, some of them are actually runned on debian machines, on which I could set up SSH...)
Also, all time needed to code these scripts, and run this "LE" server, would be way more 'expensive' than to just pay up for a basic 3yr cert.
Also, running the "LE" server = another big point of failure introduced. That one needs to be in shape & maintained.
Then some day someone pushes the "plz upgrade to latest firmware" button on their setup, and the webinterface has changed... => my script breaks, no cert renewal, .... well, you get the point.
It just seems like a highway to headache! 
I guess LE is awesome to use in for example development scenarios, having automated test/build systems which spawns docker-containers and creates new subdomains and gets certs for them, just to be teared down a day later.
Sure, but I'm just disappointed. I heard about LE more than one year ago. It then stated "release Q3 2015"
Well now it's Q4 and all we have is a feature-incomplete alpha.
For personal projects you might want to check out https://www.tinycert.org/ Where you can create a CA and issue certificates to yourself. They're not that different from self-signed certs, but there's instructions for adding the CA's root to the browser so any certs you issue will be trusted by that browser.
My1, Your proposal sounds interesting. Perhaps you should make it in a better place than in a comment on a comment. But I think you also need to think more deeply and express your proposal in more detail. For example āhave my own CAā doesnāt make much sense as it stands. It needs more detail.
But any change that makes the scripts more bulletproof would be welcomed, Iām sure.
To answer your question, yes, I wouldnāt mind scripts that automatically mess with my certificates, if they have been tested and debugged in a variety of situations, just as I donāt mind CPanel, WHM, and my email systems, all of which have scripts that mess with lots of data and preferences in my outward-facing Internet servers. Or do you also object to CPanel?
I think LE is a dandy idea, given enough quiet time to do a good low-level design and implementation. I also think LE shouldnāt have promised such a tight schedule. That is not professional. They should have made the big announcement when their promises were already implemented and mostly debugged. That is the meaning of a Beta release.
well the problem of LE is that it is an automated script which runs with root.
I dont know much about cpanel and stuff but as far as I can think about it I dont think they dont do anything when nothing happens, they usually rely on interaction and even though I never used cpanel imscp and similar stuff on a server I have, if a hoster has cpanel and similar stuff then it is their choice, not mineā¦
I am not really against those panels but they usually do tend to have a lot of code which is hard to maintain and audit, I know that from my own authentication/security PHP class for websites, which is also probably messy enouhg even though I try not to make it too messy, but since I code that one myself I know what is happening inside there, so I gladly use that one even if it isnt made for working with certs.
also I dont know much about cpanel but does it really run as root? I dont know but this is one of the problem points of the official LE client, which has been addressed in 3rd party clients, but just making a poin?
For all people who ājust want a certificateā with doing very few any work on their server there is one site: https://gethttpsforfree.com/
However it obviously requires you to do many things manually.
1 Like