Looking for FAQs

  • When and how do I use DNS authentication?

(I'm not sure how to best put it in a FAQ style, but something about how DNS authentication requires it being API-driven since a new token will be created for each renewal, and maybe how to best work around if your DNS provider doesn't provide a handy API by using a CNAME to a DNS system that can.)


Does this do the job? Challenge Types - Let's Encrypt - Free SSL/TLS Certificates


That certainly does a pretty good job, though perhaps there could be some more help in that paragraph on CNAME delegation about some good options of where to delegate to, like acme-dns or the like.

Perhaps a big part of the FAQ (as I'm starting to envision just now) is just helping point people to the right parts of the documentation. The page you get when clicking on "Documentation" in the header is just a bulleted list; we could probably do better at helping people find which article they're looking for. (And actually, I've found it weird that "Get Help" links to this forum rather than, like, a Help page that includes the forum as one of the possible Help resources. But this is kind of getting off the topic here.) You were asking for questions that were frequently asked, and "I need to use DNS authentication but don't know how" is probably one of them. :slight_smile:

  • Ooh! I just saw a website that doesn't have a cert and I think they should use LE to get one. What's the best way to tell them?

  • My supervisor says that we should be paying a lot of money for our cert for REASONS. I think an LE cert would work just fine for our organization. How can I convince them not to waste money on this?

  • How can I help spread the good word of what LE is doing?

  • What kind of technical support do you offer?

  • Someone is being really mean and abusive on your community forums. What do I do?

  • You have X,XXX threads about PROBLEM and you haven't fixed it yet. Why are you being so inattentive to this major problem?


Will you help me?
How to fix this?


My coffeemaker is an IoT device and I can't get it to work with my router. If I just add an attempt to get a certificate for it with certbot, will you help me reconfigure my network to reverse proxy everything?

(This joke in honor of @rg305.)


2 posts were split to a new topic: All-purpose IoT deployment script idea

Now I'm getting some really crazy suggestions in my mind:

  • Should my ACME client generate a new certificate private key for each renewal of a certificate, or should I keep using the same certificate key?

  • How often should I rotate my ACME account key?

I'm proposing these a bit tongue-in-cheek (if that's the right term), as they're probably not frequently asked and it may be that Let's Encrypt as an organization doesn't want to take a specific position on key rotation. It may actually be better to have questions asking more along the lines of "What are the pros and cons of key rotation" or something like that. Really I'm just adding them to the list since I want to satiate my own curiosity as when I tried asking about account key rotation in the past nobody really seemed to have a definitive answer, and it may be good to have documented somehow somewhere any "best practice" that should be encouraged.

(Probably I'm just bringing this thread off-topic, and further discussion about key rotation best practices should be spun off to a new thread.)


One thing I've found with FAQs is that often the people who need them most don't read them. I'm not sure there's a fix for that.


Several weeks ago my son asked me why, when he searches FAQs, his question never appears in any of them. I told him he just asks the wrong questions. :smirk: I've found the same thing over the years for different software. No matter what question I had about them, there was never anything remotely related to the question I had.

You are right though. The vast majority of people will never so much as look at a FAQ, or any guide for that matter, unless it is a last resort. Even then, they'd rather ask the question and hope for someone to give them the answer. That requires less effort on their part. Even if the answer was flashing in a sidebar, they'd ignore it thinking it was an ad.

All said and done, having anup-to-date, indexed FAQ is vast improvement over some of those sitting out there in cyberspace.

Just asked 11 hours ago:
How to renew a certificate?
In this topic this question was asked and should be listed the FAQ.

  • Could you point me to a link containing instructions to automate the next renewals? (for Windows Server 2019 on Google Cloud)

Indeed, I was just talking with a colleague about "what even is a FAQ?" One view is that it's a place to read the questions you didn't even know to ask. In that case, the FAQ should be short because you won't read 1000 Q's and A's. But another view is that a FAQ is a sort of alternate index to the documentation that is searchable by the question you have rather than the category of knowledge you seek. In that view, a long FAQ is great because it provides more opportunities for someone to hit the question they have in their brain - or for a keyword search with Ctrl-F to work.


A FAQ is also an authoritative form of search engine optimization (SEO) that hooks your questions (and answers) into the search engine's queries. Google is your main consumer here (if all goes well).


I've had success recently using Algolia (https://www.algolia.com/for-open-source/) to index docs for an integrated docs search in https://docs.certifytheweb.com/

[the benefit being you can split your docs over multiple pages and not have to rely on Ctrl-F]


Just wanted to second this one specifically (though the other questions are great too of course), as I posted this link in the other thread

And it just seemed… dated, with "We realize that our service is young", and now of course "automated renewal tools are widely deployed and working well". And more could be added about helping certificate to not outlive domain registrations, and the general move in the industry to shorter certificates.


Ooh, good call! That post is very much due for an update.

  • I'm having trouble getting certbot (or some other client) to work, will deleting it and reinstalling it help?

  • My server got compromised / had malware installed / etc., what should I do now that my certificate and ACME account private keys may have been exposed?

(Let me know if you've had enough and aren't looking for more; the forum just warned me that I've submitted a lot of replies to this topic :slight_smile: )


That's a new one on me. I've submitted well over 75 posts alone in a topic before and this one is only 57 including the OP. I wonder what the warning condition is.


It said I had posted over 20% of the replies, and that I should invite other people into the conversation.

Consider yourself invited. :slight_smile:


So I'm not allowed to have a conference with four of my alternate personalities unless we have different accounts? :worried: How will I ever become well-adjusted? :sob:

Oh... an invite. :smiley: :musical_note:


Keep 'em coming! I'm pretty sure I won't be able to write answers to all of these, but I like seeing the ideas, and it's likely I'll wind up combining / taking the gist of some.