Is this nginx use case supported?


My question is, if Let’s Encrypt will support the following use case which i consider quite common:

  • multiple sites served with SNI
  • nginx with non-default install path
  • nginx with hand-tailored site configurations
  • custom central certificate folder
  • need for quick SAN changes in certificates (re-issue?)
  • need for long default certificate lifetime/validity
  • no automatic fiddling around in my site or server config

with expected work flow(s):

  • issue certificates for a manually populated SAN list plus automatic ownership test
  • issue certificate with predefined file name to custom certificate folder
  • renewal overwrites exactly the before mentioned file(s)
  • SAN change process does not change file name or file name is easy to configure
  • S̶A̶N̶ ̶c̶h̶a̶n̶g̶e̶ ̶a̶u̶t̶o̶m̶a̶t̶i̶c̶a̶l̶l̶y̶ ̶r̶e̶v̶o̶k̶e̶s̶ ̶p̶r̶e̶v̶i̶o̶u̶s̶ ̶c̶e̶r̶t̶i̶f̶i̶c̶a̶t̶e̶s̶ ̶m̶a̶t̶c̶h̶i̶n̶g̶ ̶t̶h̶e̶ ̶f̶i̶l̶e̶ ̶n̶a̶m̶e̶ (EDIT, not required)

Although this looks highly specific, this might be a use case common to development environments and/or manually configured VPS environments serving different domains via SNI. I want to control as much as possible and simply use Let’s Encrypt to get certificates without the usual renewal/revocation work flow struggle.

Thank you very much for your answer.

Best regards,

for that keep an eye on pull request letsencrypt client plugin called webroot authentication Using the webroot domain verification method - #4 by eva2000 - works quite well on my non-standard Centmin Mod LEMP Nginx web stack :slight_smile:

Certificates will always be valid for 90 days, at least at launch time.

This is possible with the manual mode.

I don't know if that folder (/etc/letsencrypt) can be modified.

Renewal will currently not override any files but change symlinks instead, the old certificates will still be available.


Thank you very much, i appreciate your answers.

A little digging around on this site helped isolate the biggest concern. It seems as if at least the flexibility aspect of my use case will (some day) be served - but the stance on the certificate lifetime is a show-stopper.

From my point of view the 90 day lifetime is only acceptable in fully automated environments and requires a tremendous amount of trust in Let’s Encrypt and the client quality. Trust in the latter can not really be achieved without many man-hours of each using company being sunk into code evaluation.

I still like the idea of Let’s Encrypt, but in the near future there is no way i would recommend the product to any project beyond the scope of what were “animated gif hell” geocity sites back then.

Please keep up your good work - maybe in a few years you will have proven me wrong.

Best regards,

1 Like