Hacker News new | past | comments | ask | show | jobs | submit login

> by definition you already automated the renewal process on a schedule too

No, certbot does not run on a schedule by default. You have to set that up separately, and that can be non-trivial because you have to be able handle failures.




If you installed it with pip, it doesn't; if you installed it with an OS package or snap, it does (although it also didn't in that case for about the first year and a half of its existence, I think).


Can confirm, I have been using certbot+apache in production across multiple servers from Ubuntu apt repos since 18.04 in 2018 and scheduled auto-renewal is the default.


But if certbot doesn't run on schedule, presumably it will never connect to ARI either.


This is why Certbot should only be used temporarily to transition from legacy infrastructure. Ideally cert management (ACME client) needs to be baked into the server, like what Caddy does.


About the last thing security-wise that I want is for http server to control DNS record (which is required to have wildcard certs in LE)


When done properly, this is less of an attack vector than you think (certainly much less than a phishing email).




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: