Thanks to all the people smarter than me who commented on my previous thread seeking clarity on what steps the Certbot client goes through when requesting and managing LE certs.
As part of that discussion, I realized that there is a measurable amount ambiguity among extremely talented developers re: many aspects of the Lets Encrypt and Certbot world. I'm not nearly as smart as most of the people in that thread, so it made me feel a little bit better
I also realized that Certbot might not be the best solution for SlickStack, my open source bash script project for deploying LEMP stack WordPress servers.
A major feature of SlickStack is that it only supports a single TLD domain per KVM cloud server; this is purposeful and is meant to improve security and usability in a world of ever-cheaper web hosting. I've realized a side benefit of this approach is that less same-IP requests are sent to the Lets Encrypt servers (for whatever that is worth) which in some cases, might help avoid rate-limits or other issues.
But in my linked thread above, some of you suggested using acme.sh
instead of Certbot if the goals of my project were to maintain a very lightweight server stack; it seems Certbot is increasingly focused on automatic file management for general web hosting providers, such as cPanel/Apache providers who don't mind some bloat and don't want to manually request/renew/manage their LE SSL certs... it also made me realize that I haven't spent enough time over the past few years trying to understand where Certbot ends and where Lets Encrypt begins -- both technically, and otherwise.
So, again, leveraging the incredible knowledge in this community... I'm hoping a few people might suggest whether SlickStack should use Certbot (Ubuntu-friendly, more automation, but more bloat) or another lighter client such as acme.sh
or otherwise... in particular, I'm wondering if there are any other lightweight clients that are well-maintained which could help achieve my goals of the following:
- Requires as few files/dependencies as possible
- Meant for sysadmins who prefer setting their own cron jobs for SSL renewals (etc)
- Not meant for automatic modification of Nginx configuration
- Supports custom location of cert files/keys
- Supports DNS verification AND web root verification from Lets Encrypt
- Well-maintained and/or sponsored
Could I just "check Google"... yes, I could, but I just learned an incredible amount of things on my last thread that otherwise would have taken me months of discovery. Thanks for your time, folks!