undefined | Better HN

0 pointszamadatix6y ago0 comments

You're a professional plumber working on hundreds of households saying it's shockingly simple and should take no time at all for a first time home owner to fix their own plumbing. You've already got the knowledge, experience, and tools/parts in the van - of course you don't think it's a hassle!

0 comments

zzzcpan6y ago

And he's not even right. There is no hassle only if you take plenty of risk and rely on a random crappy acme client to do it well, its dependencies to always work, disks, OSes, servers not failing, acme protocol not changing and not deprecating anything.

Otherwise you need some infrastructure: logging, monitoring, some way to manage upgrades, backups, testing recovery, oh and those private keys are better not be leaked anywhere, so you need encryption for backups, which brings key management and so on.

allset_6y ago

Everything in your comment has to do with general server maintenance, and is not specific to automating certificate renewal with certbot or a similar tool which is what is being discussed. Adding HTTPS to your site and setting up automatic renewal is literally three steps on an Ubuntu system and you can copy and paste it from the certbot documentation [1].

[1] https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

zzzcpan6y ago

Dealing with certificates is more critical than "general server maintenance", things people often neglect doing suddenly become required. It might take from a few months to even a couple of years to get from neglected infrastructure to infrastructure ready for reliable automated issuance of certificates.

I actually evaluated a bunch of acme clients, wasn't satisfied with the code of any of them and wrote my own. But even from those I looked at certbot was always the worst choice, it's ridiculous letsencrypt is promoting it, better choices were POSIX shell clients or statically linked clients, like those written in Go and other compiled languages.

1 more reply

giancarlostoro6y ago

To be reasonably fair Lets Encrypt makes it easy. I even have a $5 a year shared hosting account that gives me Lets Encrypt SSL certs through cpanel. I can't imagine this feature is unique only to this one random shared hosting provider.

fishtacos6y ago

Your $5 instance with cPanel management isn't really quite the same as someone manually managing 100 servers hosting these services on disparate configurations and environments. In other words, what your tooling of choice automates in a specific situation doesn't necessarily apply to any one else's usage, and scalability-wise, would be even more detached.

giancarlostoro6y ago

Certbot works with multiple configurations and servers / Operating Systems:

https://certbot.eff.org/

I wouldn't be surprised if that's how he's managing 100 servers, or something similar.

1 more reply

rumanator6y ago

> Your $5 instance with cPanel management isn't really quite the same as someone manually managing 100 servers hosting these services on disparate configurations and environments.

Actually, it is. Some reverse proxies such as Traefik handle TLS certs automatically. You practically need to explicitly not want to do it.

ben_jones6y ago

Extended with: "and all his customers are based in a country with strong plumbing standards and regulatory guidelines" - rendering his advice less valid for every country which doesn't.

A practical example I ran into lately, we had a small system run on GKE and Google Cloud Loadbalancer and struggled to automate the certificate renewal process. Because the cluster/project was for an internal tool this automation was given a low priority and we still have to "manually" swap a certificate every few months (and if we forget to we get an angry slack DM).

TLDR; there are still many combinations of networked services that still do not ~easily~ support certificate automation, even ones you expect really should by now.

j / k navigate · click thread line to collapse

0 comments

zzzcpan6y ago

allset_6y ago

[1] https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

zzzcpan6y ago

1 more reply

giancarlostoro6y ago

fishtacos6y ago

giancarlostoro6y ago

Certbot works with multiple configurations and servers / Operating Systems:

https://certbot.eff.org/

I wouldn't be surprised if that's how he's managing 100 servers, or something similar.

1 more reply

rumanator6y ago

> Your $5 instance with cPanel management isn't really quite the same as someone manually managing 100 servers hosting these services on disparate configurations and environments.

Actually, it is. Some reverse proxies such as Traefik handle TLS certs automatically. You practically need to explicitly not want to do it.

ben_jones6y ago

Extended with: "and all his customers are based in a country with strong plumbing standards and regulatory guidelines" - rendering his advice less valid for every country which doesn't.

TLDR; there are still many combinations of networked services that still do not ~easily~ support certificate automation, even ones you expect really should by now.

j / k navigate · click thread line to collapse