[BlueOnyx:22605] Re: Letsencrypt - update is in Testing-Repo

[Michael Stauber]

Hi all,

> Let's Encrypt CertBot replacement

I spent all day on it today and I now have a version for 5209R ready
which replaces CertBot with ACME.sh

See: https://github.com/Neilpang/acme.sh/

The code for that is in SVN now and RPMs for 5209R are currently in the
BlueOnyx-Testing YUM repository.

SVN Changelog: http://devel.blueonyx.it/trac/changeset/3235/

The beauty of ACME.sh is that it's a bloody Shell script without any
exotic dependencies. And (out of the box) it has a hell of a lot more
functions and features than the Let's Encrypt guys could stuff into
their CertBot Python contraption. :p

There is a small catch:

Transitioning from CertBot to ACME maintained LE SSL certs requires some
wiggling. So the old cronjob that *used* to do the renewals now just
runs and hands the LE certs over to ACME until there are no more LE SSL
certs for it to handle. This means that during the first night after
this update gets installed the Cronjob will try to renew all LE SSL
certs one by one via ACME. If it doesn't succeed with some, then it'll
try again the next night and so forth until all LE Certs have at least
once been renewed via ACME.

ACME itself has it's own cronjob (see: "crontab -l"), which does
renewals on a daily basis.

How reliable that is? That remains to be seen. I do expect that this
isn't the last shot I'll need to take at it, but I'm confident that ACME
will work a hell of a lot better for us than CertBot did.

I'll sleep over the code-changes for a night and sometime on Wednesday
afternoon I'll push the changes out to the regular YUM repository for
all platforms that use Let's Encrypt in BlueOnyx or Aventurin{e}.

-- 
With best regards

Michael Stauber