Improvements for manual mode #1190

Closed
brainfoolong opened this Issue Oct 29, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@brainfoolong

I'm currently in the beta program and i'm experimenting now with installing certs on some of my domains.
I try to automate all processes and almost all work nicely.
But there some probs and questions that i currently have.
My webserver is Lighttpd.
Standalone, Webserver, Apache, or any other auth mode is not usable for me because of my special server setup.

  1. Auth requests through url "/.well-known/xxx" are OK but to force a specific content-type is a problem because this file simply don't have a file extension. I don't want to change the default mime type for all not explicitely listed extensions to "application/jose+json". Currently i have to write proxy scripts for all that auth urls to change the mime type. There are 2 possible fixes for that. Change auth request url to a specific file extension url like /.well-known/xxx.josejson than we can assign mime types to it or disable the requirement for the specific content-type for auth request.
  2. Is it recommended to create one cert for all domains or creating one cert for one domain? Currently i create one cert for one domain. I have many domains, will this be a problem in the future?
  3. Add the possibility to specify a output file for the auth request string. Currently there is no chance to fully automate the manual mode. I've hardcoded it locally in "plugins/manual.py" to store that stuff to a file.
  4. Add the possibility to disable the "Hit Enter to proceed" after the notification message for the request token. In combination with my point 3 this will result in a fully automated process.
  5. Add possibility to concat public and private key to one file. For example lighttpd requires that.
  6. I'm runnning into "RateLimited for domain xxx" because i've done some tests. When will this limit be reseted?

Locally i've now a working solution for a full automated process in manual mode. I guess this will be also helpful for outer people.
Here is my workflow:

  1. Run letsencrypt-auto --renew-by-default --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth -a manual -d xxxx.com
  2. I've changed my manual mode to save the auth token file on disk and skipping the waiting message.
  3. My domain serves the auth file automatically with correct mime types (Requires a big workaround, more info see Point 1 above)
  4. Letsencrypt will successfully finish the auth for new certs and renewals.
@kuba

This comment has been minimized.

Show comment
Hide comment
@kuba

kuba Oct 29, 2015

Contributor

Manual plugin should not be automated, by definition! Moreover, I'm afraid you just reinvented our webroot plugin: it's unfortunately not visible from menu (#1157), but you can use it as letsencrypt-auto -a webroot --webroot-path /path/to/your/public_html: it will copy all necessary files to your server, but you have to make sure Content-Type is OK.

  1. That's a limitation of an ACME protocol and not something client can do to fix it. Please follow up in ietf-wg-acme/acme#9 if you're curious.
  2. We don't recommend anything it this regard. You are free to choose between one big certificate with all domains (-d domain1.com -d domain2.com ...) are having one domain per cert. However, note that webroot plugin is currently limited to one "public_html" per run (#1016), so all domains specified on the CLI must be served from the same root, which limits somewhat flexibility on your decision.
  3. WONTFIX for manual. Use webroot.
  4. WONTFIX for manual. Use webroot.
  5. Opened #1201 to track this request.
  6. Rate limits are set per week. I'm afraid you have to wait until then. You could also visit us on IRC and try to ask to bump the limit :)

I'm very sorry about poor documentation of webroot - that is something we definitely will be working on before launch! However, I'm going to close this issue, as I believe all your questions were resolved.

Contributor

kuba commented Oct 29, 2015

Manual plugin should not be automated, by definition! Moreover, I'm afraid you just reinvented our webroot plugin: it's unfortunately not visible from menu (#1157), but you can use it as letsencrypt-auto -a webroot --webroot-path /path/to/your/public_html: it will copy all necessary files to your server, but you have to make sure Content-Type is OK.

  1. That's a limitation of an ACME protocol and not something client can do to fix it. Please follow up in ietf-wg-acme/acme#9 if you're curious.
  2. We don't recommend anything it this regard. You are free to choose between one big certificate with all domains (-d domain1.com -d domain2.com ...) are having one domain per cert. However, note that webroot plugin is currently limited to one "public_html" per run (#1016), so all domains specified on the CLI must be served from the same root, which limits somewhat flexibility on your decision.
  3. WONTFIX for manual. Use webroot.
  4. WONTFIX for manual. Use webroot.
  5. Opened #1201 to track this request.
  6. Rate limits are set per week. I'm afraid you have to wait until then. You could also visit us on IRC and try to ask to bump the limit :)

I'm very sorry about poor documentation of webroot - that is something we definitely will be working on before launch! However, I'm going to close this issue, as I believe all your questions were resolved.

@brainfoolong

This comment has been minimized.

Show comment
Hide comment
@brainfoolong

brainfoolong Oct 30, 2015

Thanks for information and answers. I noticed webroot but thought it's not usable right now.
I'll do some more tests.

Thanks for information and answers. I noticed webroot but thought it's not usable right now.
I'll do some more tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment