Is this nginx use case supported?

jand · October 11, 2015, 8:16pm

Hello!

My question is, if Let’s Encrypt will support the following use case which i consider quite common:

multiple sites served with SNI
nginx with non-default install path
nginx with hand-tailored site configurations
custom central certificate folder
need for quick SAN changes in certificates (re-issue?)
need for long default certificate lifetime/validity
no automatic fiddling around in my site or server config

with expected work flow(s):

issue certificates for a manually populated SAN list plus automatic ownership test
issue certificate with predefined file name to custom certificate folder
renewal overwrites exactly the before mentioned file(s)
SAN change process does not change file name or file name is easy to configure
S̶A̶N̶ ̶c̶h̶a̶n̶g̶e̶ ̶a̶u̶t̶o̶m̶a̶t̶i̶c̶a̶l̶l̶y̶ ̶r̶e̶v̶o̶k̶e̶s̶ ̶p̶r̶e̶v̶i̶o̶u̶s̶ ̶c̶e̶r̶t̶i̶f̶i̶c̶a̶t̶e̶s̶ ̶m̶a̶t̶c̶h̶i̶n̶g̶ ̶t̶h̶e̶ ̶f̶i̶l̶e̶ ̶n̶a̶m̶e̶ (EDIT, not required)

Although this looks highly specific, this might be a use case common to development environments and/or manually configured VPS environments serving different domains via SNI. I want to control as much as possible and simply use Let’s Encrypt to get certificates without the usual renewal/revocation work flow struggle.

Thank you very much for your answer.

Best regards,
jand

eva2000 · October 12, 2015, 1:46am

for that keep an eye on pull request letsencrypt client plugin called webroot authentication Using the webroot domain verification method - #4 by eva2000 - works quite well on my non-standard Centmin Mod LEMP Nginx web stack https://community.centminmod.com/threads/letsencrypt-free-ssl-certificates-with-web-root-authentication-method.4635/

kelunik · October 12, 2015, 7:23am

Certificates will always be valid for 90 days, at least at launch time.

This is possible with the manual mode.

I don't know if that folder (/etc/letsencrypt) can be modified.

Renewal will currently not override any files but change symlinks instead, the old certificates will still be available.

jand · October 12, 2015, 9:06am

Thank you very much, i appreciate your answers.

A little digging around on this site helped isolate the biggest concern. It seems as if at least the flexibility aspect of my use case will (some day) be served - but the stance on the certificate lifetime is a show-stopper.

From my point of view the 90 day lifetime is only acceptable in fully automated environments and requires a tremendous amount of trust in Let’s Encrypt and the client quality. Trust in the latter can not really be achieved without many man-hours of each using company being sunk into code evaluation.

I still like the idea of Let’s Encrypt, but in the near future there is no way i would recommend the product to any project beyond the scope of what were “animated gif hell” geocity sites back then.

Please keep up your good work - maybe in a few years you will have proven me wrong.

Best regards,
jand