Very well said, Dave.
I was going to send a more heated email about this last night, but refrained from doing so. You explained my position in a much more elegant manner! Like anything tech, Letsencrypt isn’t perfect, but in this day and age of free SSL certificates, there’s little to no reason not to be using it. Tylor Newman Linux Systems Administrator Email: <mailto:tylo...@tylor.me> tylo...@tylor.me From: Dave Warren <d...@thedave.ca> Sent: Friday, October 26, 2018 11:26 PM To: mailop@mailop.org Subject: Re: [mailop] Expires SSL cert for mailop On Fri, Oct 26, 2018, at 19:29, Noel Butler wrote: Problem with letsencrypt is their preferred and insisted " certbot " - does not run (easily at least) on all flavours.. I gave up with it on slackware which is what my servers run, tried using Crypt::LE and voila instant success, it was painless to use even for (tested at least) renews, although it requires a working webserver so come time to replace my comodo's on my MX's, will give me another challenge :) https://letsencrypt.org/docs/client-options/ does recommend starting with Certbot, but it certainly makes it clear that there are alternative options: "If certbot does not meet your needs, or you’d simply like to try something else, there are many more clients to choose from below" You also don't need to generate your certificate on the same machine that hosts the services using the certificates. It can either increase or reduce complexity depending on the particulars of your environment, but I generate most of my certificates centrally using DNS based authorization and either push or pull the certificates based on what is appropriate. It is an imperfect world, and this definitely applies to Let's Encrypt's documentation, but I've had good success building on top of what is already out there to get a custom solution when I don't see a perfect cookiecutter fix.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
