[RndTbl] "Let's Encrypt" by the Internet Security Research Group (ISRG)

Theodore Baschak theodore at ciscodude.net
Sun Feb 5 22:01:10 CST 2017

On Sun, Feb 5, 2017 at 4:35 PM, Trevor Cordes <trevor at tecnopolis.ca> wrote:

> Like David said, their main thrust is automated deployment.
> Unfortunately, in my mind that's that's their biggest downside.  You
> *must* use their automated tools: AFAIK they provide no normal
> manual/email way to obtain their certs.  That means any processes
> you've created in-house to handle certs (like I have) are instantly
> incompatible and would require modification.  And it's not just the
> cert files, their tools auto-edit apache configs, etc.  Also, I'm not
> sure if their tools tie the cert into other SSL-able daemons like
> sendmail, or if that's even possible given their cert settings.
> Also, they issue certs only for 3 months at a time, which kind of
> necessitates their automated tools.
> It's kind of funny, they concentrate so much on deployment when I think
> the main impediment to most people vis a vis SSL is cost.  They have
> the cost thing beat (free) but then they force you into their
> proprietary deployment model.
> Other than that, I'd say they look legit and benign, and we've talked
> about them at MUUG before and everyone seems to agree.  If you don't
> run any SSL now and you aren't terribly experienced with it, I see no
> downside to using let's encrypt.  If you already have SSL deployed,
> do your research before jumping on board just to turn your yearly cost
> into "free".
> Oh ya, one more good thing about Let's Encrypt: their causing the big
> players to lower their low-end cert prices a bit!  That's always good
> news.

If you're interested in using their free certs in a less automated way, you
can use other tools..
For instance I LOVE https://github.com/lukas2511/dehydrated
Its bash.
I use a modified version of the hook on this page:
https://www.aaflalo.me/2016/09/dehydrated-bash-client-lets-encrypt/ to
automatically reload postfix and dovecot and nginx if a cert that affects
them is renewed.

I also use the powerdns API hook script extensively.

I find this way much easier to digest (along with my own automation using
their hooks) than their "here trust me to do exactly what you want with
your configs".

Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20170205/7b6a9bad/attachment.html>

More information about the Roundtable mailing list