Posh-ACME VS letsencrypt

Yes. It’s just text, right? So as long as the process you’re using to copy the contents into the string variable isn’t accidentally adding or removing white space (including line breaks), it should just be a matter of matching the output encoding and line endings. If the source file has Unix line endings, you may need to drop into .NET in order to output your string variable to the file. There’s an example you can use at the end of this file.

Dropped it for Posh-ACME https://github.com/rmbolger/Posh-ACME

Also wanted to plug my cert related modules Posh-ACME and Posh-ACME.Deploy for getting and deploying free certs from Let's Encrypt or other ACME-based cert authorities. Though my modules typically require at least PS 5.1 and .NET 4.7.1.

while it does indeed work well and i did some tests with it in my home env things like https://github.com/rmbolger/Posh-ACME/issues/333 happening don't really help putting trust in the reliability of that unfortunately.

Setup a KeyVault and Managed Identity, which you can integrate with DigiCert natively. If you'd rather use Let's Encrypt, keyvault-acmebot does work well. Certify and win-acme have KeyVault plugins, just run the software on a VM somewhere and update KeyVault. You can also use Posh-ACME and the Azure Az PowerShell module to roll your own. You could also do it on a Linux/BSD OS with various ACME implementations and the Azure CLI.

Posh-ACME can help with obtaining a free cert from a public CA. I know nothing about Dynamics365 though. So I'll have to defer to others on being able to deploy the cert to it.

This seems to be not implemented in certbot, yet: https://github.com/certbot/certbot/issues/6566

If you do go with NPM or Traefik, under the covers it's using certbot to request/renew your certificates through Let's Encrypt using the DNS-01 challenge, meaning you can get wildcard certs and don't have to futz around with port forwards. Again I'd think Caddy has similar functionality, I just have not used it personally. Raw NGINX you probably don't want to try out yet considering it requires manually doing the configs

certbot won't be missed. The code quality is pretty poor.

https://github.com/certbot/certbot/issues 5000 bugs and it most of it can be replaced by much smaller tools

Here’s a good code reference (Python and rust): https://github.com/certbot/certbot

I am trying to migrate off of Linux and back to FreeBSD, but I hit a problem today. The Let's Encrypt Certbot is not installing. A bit surprising, given how important it is. So I thought I would notify the community Here is my bug report. https://github.com/certbot/certbot/issues/9394

Last release: https://github.com/certbot/certbot/releases (on 28th August 2022 = 1.29.0)

Right? It’s so ridiculous how you’re supposed to use Snap to install certbot. The (well, one of..) GitHub discussion is just beyond the pale:

https://github.com/certbot/certbot/issues/8345#issuecomment-...

It goes way beyond, since Let's Encrypt influence the ecosystem a lot and the standards that are used.

If you use Let's Encrypt, you are likely using Certbot, which means that everybody uses a tool that a central authority strongly recommends to you.

I wonder how they generate the key, for example, it may be using secp256r1: https://github.com/certbot/certbot/blob/5c111d0bd1206d864d7c...

# nginx-ingress-https.conf events { } http { include mime.types; server { listen 443 ssl; listen [::]:443 ssl; server_name sg.horlick.me; ssl_certificate /etc/letsencrypt/live/sg.horlick.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/sg.horlick.me/privkey.pem; # taken from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; ssl_dhparam /etc/ssl/certs/dhparam.pem; sendfile on; tcp_nopush on; tcp_nodelay on; location / { proxy_pass http://host.docker.internal:9090/; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } } }