Recommended certbot alternative(s) for Debian 8?

I understand that certbot is not supported under Debian 8, per this discussion:

We do not have the time or resources to upgrade our Debian 8 host (which, by the way, is working fine and doesn't need any Debian support), and therefore, we're looking for a certbot alternative that we can run on this host.

There are numerous alternatives listed here:

However, I'm posting this query to ask if anyone has been successful running one or more of these on a Debian 8 host. Specifically, we want to be able to use something akin to a "manual-auth-hook" which looks at DNS TXT records for authorization. We do not want to authorize via the "well-known" web-server methodology. We also need wildcard registration.

Again, due to resource constraints, we would be greatly appreciative of any recommendations, so that we can narrow down our search and won't have to spend the time to evaluate several dozen alternatives.

Thank you very much in advance.

1 Like

Hello @HippoMan,

I personally recommend acme.sh, it's a bash client so it will work out of the box on your Debian 8 (I'm using it on Debian 8 too). It has a lot of dns plugins and it should be "easy" to create your own dns plugin if none of the already created dns plugins fit your needs.

Cheers,
sahsanu

2 Likes

Thank you!!

Your recommendation has saved me hours of investigation.

Once I get acme.sh working on my Debian 8 system, I will probably also put it into place on my other hosts (Debian 10 and Ubuntu 20), so I can stop using certbot altogether.

3 Likes

While I also appreciate acme.sh, do note that the documentation of acme.sh is sometimes a little bit sparse and/or difficult to find. However, there are a few great how-to's for it too on the Github Wiki.

Also, there isn't as much experience with acme.sh on this Community compared to certbot, so if you require help on this Community, you might not get as much or as fast help as you would otherwise get. Although every volunteer would do his and/or her best nontheless.

4 Likes

I got acme.sh working under Debian 8. It handles the "manual" TXT-record authentication as well as wildcard domains. Thank you again, to all!

In case anyone is interested, over the next few days I'll be writing an expect script which runs acme.sh in manual mode, captures the UID's, and feeds them to a script which I use to update the appropriate TXT records in my DNS repo ... and then waits a little while for DNS propagation, after which it will run the acme.sh "renew" command.

In other words, this expect script will further automate the "manual" acme automation.

I will post that expect script here in a few days, if anyone is interested.

2 Likes

I'm glad you get it working but I think it is easiest to develop a dns-plugin instead of dealing with a manual approach, then using expect, etc. and then launch again acme.sh to "renew" but if that approach is working for you, go ahead :wink:

3 Likes

I'm not familiar with the mechanics of a DNS plugin. I'll investigate that, and then I'll decide how I want to go.

FOLLOW-UP: Hmm ... it seems that the DNS plugin is meant to be used with certbot, but certbot doesn't even run on my Debian 8 box ...

# ./certbot-auto 
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

I paste again the link to the guide to create a dns-plugin for acme.sh:
https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide

And here a template to start:
https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_myapi.sh

3 Likes

No no, I'm talking about the dns plugins used by acme.sh not the dns plugins used by certbot :slight_smile:

1 Like

Oh! Thank you. I'll check it out.

1 Like

This might be of interest

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.