-
-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
profile directory / portability #76
Comments
Yes, it would. But LE accounts aren't necessarily a thing that you can only have one of. They're just an association for one or more contact emails and a set of orders. It's quite common to have an account per "server" that is generating certificates. The LE rate limits page only has this to say regarding account related limits:
So basically, if you need to migrate your installation to a new server or profile and you end up creating a new account in the process, it's no big deal. The orders/certs on the old account will eventually expire and the account will eventually be purged. It only becomes a problem if you're doing this over and over in quick succession. I should also note that that DPAPI limitation also currently doesn't apply to non-Windows hosts because PowerShell Core doesn't have a working implementation of it yet. |
The other thing you can do if you really need to keep the profile portable (at the expense of data-at-rest encryption), many of the plugins have "Insecure" parameter set options intended to provide compatibility with non-Windows OSes. But there's nothing stopping you from using them on Windows too. If there's one in particular you'd want that doesn't have an insecure option, let me know and I can probably add it pretty quick. |
Thanks for your extensive reply. I have to admit I wasn't aware of the rate limiting policies around LE accounts and the numbers you've mentioned are definitely much higher than what we'll need in forseeable future - so I will stick with the creation of new accounts for now. |
First off thanks for the great Module. In other issues you've described that as of now the "profile" directory cannot be customized and copy/pasting the directory will not work as DPAPI is used to encrypt sensitive data.
You also mention that one can just request a new certificate if the profile of the initial requester cannot be used.
My understanding of LE was always that it is "account-based". Meaning you register an account with a contact address and so on and then add domains to it. If I use
New-PACertificate
each time I don't have the originial profile available wouldn't that create new accounts with LE each time?Is there a more elegant solution to this?
The text was updated successfully, but these errors were encountered: