I saw the letsencrypt client has an API and can be extended by plugins, so I started wondering what the scope of such plugins is.
Apparently there are letsencrypt-apache and letsencrypt-nginx plugins which set up your web server configuration.
Is that the only thing plugins will be used for, or might they have other uses as well?
Will plugins come bundled with the client or do you need to manually install them?
Sorry if this has been answered somewhere, I just couldn’t find anything about the general idea of plugins.
There are two kinds of things that plugins can do: they can prove to the CA that you control a domain, and they can install (deploy) a certificate after it’s issued. These pieces of functionality can be related because both of them can require changing the configuration of some other server software on your machine (such as a web server).
We’re interested in having more plugins available in the future that would help deploy certificates in other server software, like other web servers (such as lighttpd) and mail servers (such as Exim).
It’s not clear yet whether some plugins will be installed separately from the main client; that’s probably up to the people who package the Let’s Encrypt client for particular operating systems. For example, there might be separate packages for the Nginx and Apache plugins. It probably depends on what the operating system packagers think would be clearest and most useful for the users.
For the time being our plan is to ship any plugin that’s ready, with the main distribution. If one day there are plugins that we are disinclined to ship for some reason, we can begin evaluating any steps that may be required to make them conveniently pluggable.
Wait, your FAQ says that your certificates can’t be used to encrypt mail. But there are lots of ways of encrypting mail: GPG, and S/MIME in the client, and DKIM in the server, and TLS at transport time. Presumably your certificates are suitable for SMTP over TLS, and maybe for DKIM signatures? Am I right?
Presumably your certificates are suitable for SMTP over TLS, and maybe for DKIM signatures? Am I right?
Plugins for mail servers would help you set up TLS with your mail server, but as you pointed out yourself, TLS encrypts transport, not the mail itself (like GPG or S/MIME do).
@ianeiloart: You are correct, it’s entirely possible to use a Let’s Encrypt certificate for SMTP over TLS (or, relatedly, SMTP with STARTTLS). However, our client doesn’t currently help to set that up.