profile directory / portability

[leepfrog-ger]

First off thanks for the great Module. In other issues you've described that as of now the "profile" directory cannot be customized and copy/pasting the directory will not work as DPAPI is used to encrypt sensitive data.

You also mention that one can just request a new certificate if the profile of the initial requester cannot be used.

My understanding of LE was always that it is "account-based". Meaning you register an account with a contact address and so on and then add domains to it. If I use New-PACertificate each time I don't have the originial profile available wouldn't that create new accounts with LE each time?

Is there a more elegant solution to this?

[rmbolger]

If I use New-PACertificate each time I don't have the originial profile available wouldn't that create new accounts with LE each time?

Yes, it would. But LE accounts aren't necessarily a thing that you can only have one of. They're just an association for one or more contact emails and a set of orders. It's quite common to have an account per "server" that is generating certificates. The LE rate limits page only has this to say regarding account related limits:

The “new-reg”, “new-authz” and “new-cert” endpoints have an Overall Requests limit of 20 per second.

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.

So basically, if you need to migrate your installation to a new server or profile and you end up creating a new account in the process, it's no big deal. The orders/certs on the old account will eventually expire and the account will eventually be purged. It only becomes a problem if you're doing this over and over in quick succession.

I should also note that that DPAPI limitation also currently doesn't apply to non-Windows hosts because PowerShell Core doesn't have a working implementation of it yet.

[rmbolger]

The other thing you can do if you really need to keep the profile portable (at the expense of data-at-rest encryption), many of the plugins have "Insecure" parameter set options intended to provide compatibility with non-Windows OSes. But there's nothing stopping you from using them on Windows too.

If there's one in particular you'd want that doesn't have an insecure option, let me know and I can probably add it pretty quick.

[leepfrog-ger]

Thanks for your extensive reply. I have to admit I wasn't aware of the rate limiting policies around LE accounts and the numbers you've mentioned are definitely much higher than what we'll need in forseeable future - so I will stick with the creation of new accounts for now.