[schoen]

The Certbot team would like to see an official nginx integration at some point because it would be easier and more reliable. Certbot's integration relies on parsing nginx configuration files but the nginx configuration file grammar isn't formally specified and there are surely divergences between nginx's interpretation and Certbot's interpretation. (The last one I worked on, which I don't think we resolved, is that nginx allows you to use arbitrary character encodings in configuration files, e.g. many Russian users may have comments in KOI8-R rather than UTF-8. I believe this is because nginx doesn't make a consistent attempt to explicitly interpret multibyte characters in all contexts. Certbot, as a Python application, generally does nowadays.)

The most sustainable and reliable long-term approach would be to have Certbot's integrations gradually superseded by supported official Let's Encrypt integrations in applications that terminate TLS.

P.S. Thanks for your enthusiasm for Certbot!

[tialaramex]

A more neutral stance might be for software to explicitly offer ACME integration rather than Let's Encrypt specifically, after all part of the rationale for Let's Encrypt is to be a huge practical demonstration that ACME can be a success for the public Internet.

e.g. a config setting get-certs-from: ACME-ENDPOINT-URL rather than a binary "Use Let's Encrypt" feature.

Thanks for your work, which is much more important than our enthusiasm.