Comment by tasuki

Comment by tasuki 2 days ago

4 replies

> To someone like me with hobby-level serving needs, the 90 day certificate life is pretty inconvenient, despite having automation set up.

I also have hobby-level serving needs. I've been using LetsEncrypt since whenever it was they started. I have two top level domains and a whole lot of subdomains.

I've never had to babysit certificate renewal, nor had to log in manually to fix anything. Not once. How comes?

5d41402abc4b 2 days ago

If your server is not accessible from the internet you need to use DNS based authentication for which you need to have a DNS API key lying around on your server which is a significant risk.

  • erincandescent a day ago

    Put the ACME challenges in their own DNS zones. Grant the key permission to only that zone. Risk mitigated.

ryandrake a day ago

Weird. It's always been flaky for me, so I thought it was just the usual run-of-the-mill crappy software and that everyone just deals with it. I can't imagine what the bug might be in a 6 line shell script that just runs certbot and then restarts a bunch of services.