Comment by imtringued

Comment by imtringued a day ago

Forcing automation would be fine if the default software package (certbot) was any good but from my experience certbot is simply not fit for purpose. Certbot doesn't support the industry standard PKCS#12 format, which makes it extremely brittle for anyone using a Java based webserver. Instead it uses the non-standard PEM format which requires conversion before usage. That conversion step breaks all the time and requires manual intervention. It's ridiculous.

nine_k a day ago

PEM is very standard. Calling `openssl pkcs12` also should not be hard; IDK about certbot, but there is a hook for acmetool (which I use) that does just that for you: https://github.com/dlitz/acmetool-pkcs12-hooks

Reply View 0 replies

SAI_Peregrinus a day ago

PEM is standardized in RFC 7468, from 2015 [1]. PEM has been an industry standard for a decade.

[1]https://datatracker.ietf.org/doc/html/rfc7468

Reply View 0 replies

cpach a day ago

I hear ya. I’m also not fond of certbot and other existing clients.

The best solution I’ve found so far was to implement a custom cert manager using the formidable acmez library.

Reply View 0 replies

arccy a day ago

at this point PEM is more standard and prevalent than pkcs#12

Reply View 0 replies