Hacker News new | ask | show | jobs
by cutler 2763 days ago
Great so every 3 months when I have to manually renew all the LetsEncrypt certs I manage for clients I know it's giving them zero protection. Kinda reminds me of the British Government's decision to insert road humps into all the roads in the towns and cities of the land just to deter speeding drivers. All it produced was more work for garages mending damaged exhaust pipes.
3 comments
isostatic 2762 days ago
Why haven't you automated it? It's not exactly hard to automate the renewal, that's the great thing about letsencrypt, and the whole point about the 3 month period is to encourage you to automate this stuff.
link
cutler 2762 days ago
Not possible because the domains are pointed to the webserver from a different host. It has to be done manually with:

`certbot certonly -d $1 -d www.$1 --manual --preferred-challenges dns-01`

The TXT records have to be edited manually then checked with DNS Toolbox. Once visible certbot can be allowed to process.

link
yebyen 2762 days ago
Any reason you couldn't use the http-01 challenge? I think there are thousands of people who are using LetsEncrypt and have automated it successfully. So whatever you just said,

> all the LetsEncrypt certs I manage for clients

... if this contains some technical reason why it won't work, I think that's the problem.

But I'd be more inclined to believe you if you just told me that, your clients periodically need your assistance for other things, but they weren't going to call because as every good salesperson knows, "if you don't call, they don't come"... and since they trust you already, this is a reliable door-opener that gets you back into their offices, where you get to bill for something, even if this time they didn't need anything else... it gets you valuable face time and a pretty reliable, even if only nominal, payday.

If that's not it, then tell me that's not it, but... I think that's what you're doing. (And there's nothing wrong with that.)

link
dagenix 2762 days ago
> Great so every 3 months when I have to manually renew all the LetsEncrypt certs I manage for clients I know it's giving them zero protection.

I'm not sure I understand how a server certificate was supposed to provide protection against an entirely unrelated server hosting a phishing website.

link
yebyen 2762 days ago
Why are you manually renewing letsencrypt certs?

The point of the 3 month limit is to encourage you to set up automatic renewal.

link
cutler 2762 days ago
That's only possible when the domain is hosted on the same network as the site. Doesn't apply in this case. See above.
link