Is this nginx use case supported?


#1

Hello!

My question is, if Let’s Encrypt will support the following use case which i consider quite common:

  • multiple sites served with SNI
  • nginx with non-default install path
  • nginx with hand-tailored site configurations
  • custom central certificate folder
  • need for quick SAN changes in certificates (re-issue?)
  • need for long default certificate lifetime/validity
  • no automatic fiddling around in my site or server config

with expected work flow(s):

  • issue certificates for a manually populated SAN list plus automatic ownership test
  • issue certificate with predefined file name to custom certificate folder
  • renewal overwrites exactly the before mentioned file(s)
  • SAN change process does not change file name or file name is easy to configure
  • S̶A̶N̶ ̶c̶h̶a̶n̶g̶e̶ ̶a̶u̶t̶o̶m̶a̶t̶i̶c̶a̶l̶l̶y̶ ̶r̶e̶v̶o̶k̶e̶s̶ ̶p̶r̶e̶v̶i̶o̶u̶s̶ ̶c̶e̶r̶t̶i̶f̶i̶c̶a̶t̶e̶s̶ ̶m̶a̶t̶c̶h̶i̶n̶g̶ ̶t̶h̶e̶ ̶f̶i̶l̶e̶ ̶n̶a̶m̶e̶ (EDIT, not required)

Although this looks highly specific, this might be a use case common to development environments and/or manually configured VPS environments serving different domains via SNI. I want to control as much as possible and simply use Let’s Encrypt to get certificates without the usual renewal/revocation work flow struggle.

Thank you very much for your answer.

Best regards,
jand


#2

for that keep an eye on pull request letsencrypt client plugin called webroot authentication Using the webroot domain verification method - works quite well on my non-standard Centmin Mod LEMP Nginx web stack https://community.centminmod.com/threads/letsencrypt-free-ssl-certificates-with-web-root-authentication-method.4635/ :slight_smile:


#3

Certificates will always be valid for 90 days, at least at launch time.

This is possible with the manual mode.

I don’t know if that folder (/etc/letsencrypt) can be modified.

Renewal will currently not override any files but change symlinks instead, the old certificates will still be available.


#4

Thank you very much, i appreciate your answers.

A little digging around on this site helped isolate the biggest concern. It seems as if at least the flexibility aspect of my use case will (some day) be served - but the stance on the certificate lifetime is a show-stopper.

From my point of view the 90 day lifetime is only acceptable in fully automated environments and requires a tremendous amount of trust in Let’s Encrypt and the client quality. Trust in the latter can not really be achieved without many man-hours of each using company being sunk into code evaluation.

I still like the idea of Let’s Encrypt, but in the near future there is no way i would recommend the product to any project beyond the scope of what were “animated gif hell” geocity sites back then.

Please keep up your good work - maybe in a few years you will have proven me wrong.

Best regards,
jand