Migrate from certbot to acme.sh: painless?

I want to migrate from certbot (macOS, MacPorts) to acme.sh (because it supports wildcard cert DNS verification via godaddy). Will acme.sh use the same structure as certbot in /etc/letsencrypt? E.g. /etc/letsencrypt/renewal-hooks/deploy? Anything I should pay attention to when I make this switch?

Nope.

I don't know if acme.sh supports such a thing, please see its documentation.

It's often not practical to migrate between ACME clients. Best to start over.

Please note that acme.sh defaults to ZeroSSL instead of Let's Encrypt.

Also note that there does exist a third party GoDaddy DNS plugin for Certbot. See certbot-dns-godaddy · PyPI for more info. Not sure how compatible that would me with Certbot installed using MacPorts.

3 Likes

It seems acme.sh is less configurable (a fixed list of deployhooks instead of a generic setup like certbot has). Too bad, I kind of liked the no-python idea of acme. Documentation is rather disorganised (and incomplete) as well, I get the impression. I have on another system already worked with certbot and the 3rd party godaddy plugin (which is of course an LCM risk which is why I liked the idea of acme.sh being a pure shell script).

1 Like

"Deploy hooks" in acme.sh are limited, as you say, to a fixed list. But "renew hooks" can point to any script or other command you like.

5 Likes

Another shell-based ACME client is Dehydrated. They have a script to migrate from Certbot, but it has a notice that it's no longer maintained, so may not work for you: Import from official letsencrypt client · dehydrated-io/dehydrated Wiki · GitHub

It does have hooks, but there's a single hook script that needs to handle all the events -- including inserting DNS records for your provider (eg, Godaddy, which has a script linked from the repo). dehydrated/dns-verification.md at master · dehydrated-io/dehydrated · GitHub

4 Likes

The major selling point for acme.sh is that it easily runs on operating systems and environments where there is no default installed Python, the available version of Python is severely out of date, or there are concerns about installing the required Certbot packages.

macOS ships with a relatively recent version of Python by default, and installing the required packages for Certbot are generally not an issue.

If you're looking to develop and test a cert system for some servers on your mac – acme.sh is a great option; if your intended usage is to actually obtain and use the certificates on your mac - Certbot is a great option.

Considering you have a functional Certbot installation, IMHO there is no real point to switching.

3 Likes

It has both.

  --renew-hook <command>            Command to be run after each successfully renewed certificate.
  --deploy-hook <hookname>          The hook file to deploy cert

and

  --reloadcmd <command>             Command to execute after issue/renew to reload the server.
3 Likes