The devil is in the automation. I have used Certbot a couple of times with the CLI args (-d etc.) and with the GUI. I have used it completely successfully and without any problems, but that doesn’t matter here: I’m 100 % confident that I have not given permission in any GUI or CLI to amend the Apache configurations for this domain name when deploying a certificate for another domain (which was, btw, being served by NGINX). It has to have happened in the background, behind the curtain, you know, where the process is automated – which is also the key selling point of Let’s Encrypt and Certbot, to make it easy and automated.

This of course raises the question whether I’m to blame Certbot or did I do something wrong and actually the service was working as expected. Who knows. I also admit that my VPS setup consists not only of one domain and one IP address, but multiple domains served by both Apache and NGINX from three IP addresses. Nonetheless, I should be able to trust the automation. But the takeaway here, for me atleast, is to write a script to check whether the correct config files and none else were touched during the deployment. Certbot already prints out to you the list of issued certificates, their private keys, and certificate chains. It would be a nice improvement to have a list of all touched files during the deployment just to alert the geek.

The post Be careful with the Let’s Encrypt’s deployment automation appeared first on Pietari Heino's personal website.

One thing that really bothers me when people say that Let’s Encrypt is the solution to everything is that… it isn’t when you cannot use it. If you are not a server person, your website rests at a web hosting company’s shared platform where you do not have any say in Apache/NGINX configs, cannot apt-get, or curl | bash. You most likely don’t even have any clue what those terms mean. So Let’s Encrypt doesn’t solve the problem for shared hosting plans as long as the web hosting companies don’t provide it. Simple as that. It really gets into my nerves when people comment on forums that everyone should be using Let’s Encrypt and that now we’ve got a free solution there is *nothing* that could keep even a single person from turning on the green lock. Like really, most small to mid-sized companies have their web sites running on shared hosting. Not possible to rely solely on the port 443.

That’s it. Let’s Encrypt is a wonderful thing and I really like it but it just so bugs me when uneducated or ignorant people slam it to other peoples’ faces without actually thinking for a moment if it can even be applied here and there.

I hope CPanel and the rest implement it soon enough and more so that the shared hosting providers turn on the knobs for easy enabling.

The post The problem with Let’s Encrypt (or someone’s) appeared first on Pietari Heino's personal website.