Hacker News new | ask | show | jobs
by homebrewer 204 days ago
In circles I'm running in, automatic certificate renewal has not caused a single problem over 7 years of using it, and whatever time was spent on setting it up, has paid many times over, both in saving effort on renewal, and in putting out fires when (not if) someone forgets to renew a certificate. You just have to be careful picking your automation — I haven't been impressed with certbot, for example.

Also, everything is using https now. Living in a low-income country, certificates were too expensive to use them where they weren't absolutely required, but not anymore. This is orthogonal to automation, I'm just pointing out that LE is not as demonic as you make it out to be.

I'm afraid enterprise users are on their own, probably approximately no-one else is interested in going back to the old ways of doing it. (Maybe embedded.)
1 comments
imtringued 204 days ago
Forcing automation would be fine if the default software package (certbot) was any good but from my experience certbot is simply not fit for purpose. Certbot doesn't support the industry standard PKCS#12 format, which makes it extremely brittle for anyone using a Java based webserver. Instead it uses the non-standard PEM format which requires conversion before usage. That conversion step breaks all the time and requires manual intervention. It's ridiculous.
link
nine_k 204 days ago
PEM is very standard. Calling `openssl pkcs12` also should not be hard; IDK about certbot, but there is a hook for acmetool (which I use) that does just that for you: https://github.com/dlitz/acmetool-pkcs12-hooks
link
SAI_Peregrinus 204 days ago
PEM is standardized in RFC 7468, from 2015 [1]. PEM has been an industry standard for a decade.

[1]https://datatracker.ietf.org/doc/html/rfc7468

link
JackSlateur 202 days ago
p12, "industry standard" ? P12 is a joke, a binary fusion of the private and multiple certificate, protected by a weak password to "feel better"

p12 is cruft used by legacy software like active directory

Post 2005 people are using PEM (how is it non-standard, again ? Require conversion for legacy software that are more than 20 years-old, perhaps)

link
cpach 204 days ago
I hear ya. I’m also not fond of certbot and other existing clients.

The best solution I’ve found so far was to implement a custom cert manager using the formidable acmez library.

link
arccy 204 days ago
at this point PEM is more standard and prevalent than pkcs#12
link