[bigiain]

The 12 month validity - which means it's way more useful if you want to pin certificates in a mobile app...

[jsiepkes]

How so? You pin the public key part in the cert not the whole cert itself. The key you use (should) stay the same.

[sandGorgon]

this is huge. And a killer difference. This means you can bake these certificates into Docker images as well.

[f2n]

PSA: Don't do this. Secrets don't belong in docker images, they belong in proper secret management tools.

[sandGorgon]

I get what you mean - i would say that not everyone has a devops team and is setting up a whole bunch of infrastructure. I would rather recommend a ssl certificate baked into a docker image (stored in a private registry) versus no https at all

even if you use a secrets management tool, there are very few (probably none) that can bootstrap a Letsencrypt api. So this new one makes that possible as well.

[icebraining]

If you want something simple, how about just installing nginx on the host to forward-proxy your Docker container?

[sandGorgon]

but how is that more secure or simpler than running a docker image ?

to setup the nginx on my host, i would still have to store the certificates somewhere right.

Docker is not what is making this thing complicated.

[icebraining]

Using nginx and a let's encrypt client on the host, the certificates are only generated and kept inside the machine itself. That's safer than baking them into the Docker image, which will be copied around.