[giancarlostoro]

One thing I would love to see in the future is the addition of LetsEncrypt support for major web servers like Nginx and Apache. I think this could go a long way. In the case of Apache it would be one of those "mod" type of packages. Someone feel free to let me know if this is already the case though, I would love to make note of it.

Edit:

Looks like Apache has one called 'md':

https://httpd.apache.org/docs/trunk/mod/mod_md.html

Your move Nginx? :)

[zzzcpan]

> One thing I would love to see in the future is the addition of LetsEncrypt support for major web servers like Nginx and Apache. I think this could go a long way.

This is not as useful as you think. In nginx you only need a couple of extra lines of configuration to let an external program issue and renew certificates independently from nginx, without reloads, etc. Definitely not worth developing a C nginx module that starts a helper process that does that just so that a few people who run nginx on a single server could get their certificates issued with only one line of configuration.

[Goz3rr]

You still need to reload nginx for it to start using the new certificates. But you're right about issuing/renewing certificates. I have a small snippet like this in all my server blocks:

  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
    root /var/www/letsencrypt;
  }

And to issue a cert (and automatically renew in the future) all I need is:

  acme.sh --issue -w /var/www/letsencrypt/ -d example.com --reloadcmd "service nginx reload"

Although recently I've been using the Cloudflare DNS option also offered by acme.sh instead of webroot mode. It doesn't make any difference in my issue workflow because the domains are already on CF DNS anyways, but it's required for wildcard certs.

I definitely agree in not seeing added the value of a nginx module over my current solution.

[zzzcpan]

Since version 1.16 certificates can be dynamic, no need for reload.

[giancarlostoro]

Oh I hadn't known this, I know the configs for Nginx are rather powerful, but didn't realize they were this good. Maybe alternatively somebody could make a web UI to make managing this sort of thing for Nginx simple. Most neckbeards will rage about that, but they don't have to use it.

[atonse]

Really what we need is what Caddy ended up being. Best practices rolled in as defaults.

That’s why I use caddy just about everywhere that isn’t a load balancer.

[seeekr]

What you're asking for already exists. The certbot package already takes care of that [1]. No need to develop anything extra for nginx. [1] https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

[schoen]

The Certbot team would like to see an official nginx integration at some point because it would be easier and more reliable. Certbot's integration relies on parsing nginx configuration files but the nginx configuration file grammar isn't formally specified and there are surely divergences between nginx's interpretation and Certbot's interpretation. (The last one I worked on, which I don't think we resolved, is that nginx allows you to use arbitrary character encodings in configuration files, e.g. many Russian users may have comments in KOI8-R rather than UTF-8. I believe this is because nginx doesn't make a consistent attempt to explicitly interpret multibyte characters in all contexts. Certbot, as a Python application, generally does nowadays.)

The most sustainable and reliable long-term approach would be to have Certbot's integrations gradually superseded by supported official Let's Encrypt integrations in applications that terminate TLS.

P.S. Thanks for your enthusiasm for Certbot!

[tialaramex]

A more neutral stance might be for software to explicitly offer ACME integration rather than Let's Encrypt specifically, after all part of the rationale for Let's Encrypt is to be a huge practical demonstration that ACME can be a success for the public Internet.

e.g. a config setting get-certs-from: ACME-ENDPOINT-URL rather than a binary "Use Let's Encrypt" feature.

Thanks for your work, which is much more important than our enthusiasm.

[mason55]

If you’re running nginx on Nix you can do it with just a couple config settings