letsencrypt VS cloudinit

This seems to be not implemented in certbot, yet: https://github.com/certbot/certbot/issues/6566

If you do go with NPM or Traefik, under the covers it's using certbot to request/renew your certificates through Let's Encrypt using the DNS-01 challenge, meaning you can get wildcard certs and don't have to futz around with port forwards. Again I'd think Caddy has similar functionality, I just have not used it personally. Raw NGINX you probably don't want to try out yet considering it requires manually doing the configs

certbot won't be missed. The code quality is pretty poor.

https://github.com/certbot/certbot/issues 5000 bugs and it most of it can be replaced by much smaller tools

Here’s a good code reference (Python and rust): https://github.com/certbot/certbot

I am trying to migrate off of Linux and back to FreeBSD, but I hit a problem today. The Let's Encrypt Certbot is not installing. A bit surprising, given how important it is. So I thought I would notify the community Here is my bug report. https://github.com/certbot/certbot/issues/9394

Last release: https://github.com/certbot/certbot/releases (on 28th August 2022 = 1.29.0)

Right? It’s so ridiculous how you’re supposed to use Snap to install certbot. The (well, one of..) GitHub discussion is just beyond the pale:

https://github.com/certbot/certbot/issues/8345#issuecomment-...

It goes way beyond, since Let's Encrypt influence the ecosystem a lot and the standards that are used.

If you use Let's Encrypt, you are likely using Certbot, which means that everybody uses a tool that a central authority strongly recommends to you.

I wonder how they generate the key, for example, it may be using secp256r1: https://github.com/certbot/certbot/blob/5c111d0bd1206d864d7c...

# nginx-ingress-https.conf events { } http { include mime.types; server { listen 443 ssl; listen [::]:443 ssl; server_name sg.horlick.me; ssl_certificate /etc/letsencrypt/live/sg.horlick.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/sg.horlick.me/privkey.pem; # taken from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; ssl_dhparam /etc/ssl/certs/dhparam.pem; sendfile on; tcp_nopush on; tcp_nodelay on; location / { proxy_pass http://host.docker.internal:9090/; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } } }

Newer versions of OS use cloud init -> https://cloud-init.io/

Overall, I think in an article that focuses on cloud computing (specifically AWS) there's too much time being spent in the local command line of a server.

It's an especially revealing sentence when the authors says that "Most attacks won’t be against what we’ve covered in this guide, but against the applications you install next. Properly done, containers can limit the impact."

If we are running containerized applications and we are already in the cloud, why are we futzing around on the command line of a Linux box? Why are we not using a cload orchestrator that abstracts the OS from the equation entirely?

If we do have a need to be on a bare Linux box, all of this OS configuration is better handled with cloud init [1], a configuration management tool like Ansible, and/or by building an image with Packer.

I know that seems like overkill for a small hobby reluctant sysadmin project type of deal but it's very little extra effort once you get used to the workflow. I would even recommend putting this infrastructure in Terraform even though, again, it seems like overkill at first.

Someone else in the comments mentioned that it's easier to just start with a hardened image from the AWS Marketplace, and I also agree with that idea. Find a free hardened image and make that the base for your system.

[1] https://cloud-init.io

Found this related article: "cloud-init re-generates network config every reboot overwriting manual admin changes on CentOS." https://github.com/canonical/cloud-init/issues/2983

You can just lift and shift an exisiting project into the cloud, but let's say you're using AWS's CFT's to define an EC2 instance. Great! throw in some cloud-init ( https://cloud-init.io/ ) script for your ubuntu cloud image for some automated-ness in provisioning and you're off to the races!

You can run an os that has a cloudinit setup. This will on boot do whatever you have in the cloud init file. Check out https://cloud-init.io/ its becoming a standard in operating systems that aren't desktop oriented.

Oh, and as a big bonus, Xen Orchestra supports cloud-init which is a really nice way to customize VMs from a baseline.

Since this is the standard Ubuntu image it's presumably cloud-init which is interpreting your user_data, in which case there are two other possible techniques to use to get this key registered.

Most Linux distribution images in EC2 include cloud-init which runs on startup and retrieves the user data. If you are using a standard Linux distribution AMI then it's probably cloud-init that is taking actions based on your user data, and so cloud-init's documentation on User Data Formats is the relevant reference for you.

Yup. There are several options.