[Letsencrypt-devel] Bug#817865: RFS: acmetool/0.0.49 [ITP] -- automatic certificate acquisition tool for Let's Encrypt
Peter Colberg
peter at colberg.org
Fri Mar 18 05:15:54 UTC 2016
Hi Harlan,
[Cc'ing Debian Go team]
On Thu, Mar 17, 2016 at 11:34:12PM -0400, Harlan Lieberman-Berg wrote:
> The Let's Encrypt team might be able to help you get sponsorship for
> this. Quick question -- besides the implementation language, what are
> the main differences between this tool and acme-tiny?
That would be great!
What are your thoughts on switching the Maintainer of the acmetool
package to the Debian Let’s Encrypt team? While the package uses the
dh_golang helper and fits well within the pkg-go team from a developer
perspective, I expect user bug reports to require mostly knowledge of
ACME and the Let’s Encrypt service.
Briefly, acmetool lies half-way between python-letsencrypt and
acme-tiny. Like python-letsencrypt and unlike acme-tiny, acmetool
manages certificates in a directory hierarchy. Like acme-tiny and
unlike python-letsencrypt, acmetool’s sole purpose is to acquire
TLS certificates.
acmetool is similar to “make”: If all certificate requirements are
met, acmetool will do nothing. For each desired certificate, the user
runs “acmetool want” with a list of hostnames, which creates a config
file and acquires the certificate. Then acmetool may be rerun without
arguments to renew certificates that are close to expiry.
acmetool’s YAML-based minimal configuration files are well structured
and documented, which makes them suitable both for editing by hand and
automatic configuration management.
acmetool fully supports running as either root or non-root user, and
implements various methods to complete challenges such as webroot mode
and HTTP proxy mode. acmetool is silent by default and will only output
errors, which makes it ideal for use in cron jobs.
Please take a look at acmetool's user guide:
https://hlandau.github.io/acme/userguide
For the Debian package, I have written a README.Debian that provides
some hints on using acmetool and that is hopefully generally useful:
https://anonscm.debian.org/cgit/pkg-go/packages/acmetool.git/plain/debian/README.Debian
Overall, my initial impression is that acmetool comes closest to “set
it and forget it”. Since certificate renewals are only necessary every
so often, time will tell whether the “forget it” part is accurate.
Regards,
Peter
More information about the Letsencrypt-devel
mailing list