There are two ways go get certificates when using a non-common server, standalone and manual mode.
For a first time issuance it seems to be easiest to use the standalone mode, since there isn't a server running on port 443 yet. However, that will change once HTTPS is setup and live, because you don't want a service interruption every 60 days for renewal (assuming that the revalidation time frame will be changed to the same as reissuance, so it's always the same process instead of two different ones).
It's a non-issue adding a route serving the ACME challenge once HTTPS is setup, but how can the manual mode be automated to prevent downtimes and / or expires, because it wasn't automated? Does the challenge change every time?
I'd like to make HTTPS setups very easy using our application server, same applies to node apps. How can we make simple components that just have to be added to the router of choice to make automation possible where (almost) everything is configured through code instead of easy to parse and change config files?
It depends on what validation method the manual mode is using. Currently I think it’s defaulting to SimpleHTTP, where you add a specified file to the existing web server (somewhat akin to validation processes used by some other DV CAs). That particular method shouldn’t cause downtime.
The challenge will be different every time – it’s randomly generated.
If you’re familiar with Python programming, you can customize the code in our open source client application to produce a higher level of integration with whatever kind of applications you’re working with, or to produce a somewhat different UI flow. You can make those changes privately, or, if you think they’d be generally useful, you’re welcome to contribute them back to our project.
basically if you can already automate the https nginx or apache vhost creation for a domain, you only need to pass the nginx or apache web root for the domain in simplefs mode via --simplefs-root flag for SimpleHTTP file challenge to be automated
./venv/bin/letsencrypt -a simplefs --simplefs-root /home/nginx/domains/le4.http2ssl.xyz/public --text --agree-eula -d le4.http2ssl.xyz auth
looking forward when that pull request gets merged
yup you do, my Centmin Mod LEMP stack's auto nginx vhost generator does the http and https vhost generation automatically + right application/jose+json content-type header for the well known uri verification file automatically so passing the web root to letsencrypt client is all I need
If you can configure the certificates that the other servers present for various SNI hosts, you should be able to use DVSNI validation in this case without having a DocumentRoot.
I wish there was a simpler solution for cases like loadbalancers that handle HTTPS encryption/decryption.
It looks like I’d have to script out something to run on each of the servers behind the loadbalancer which would be able to handle certificate renewal, then be able to update the certificate on the loadbalancer remotely. Seems like a PITA.
With a longer renewal period than 60 days (1 year), a manual process is feasible, but having to renew it every 60 days manually adds to the PITA factor.