this post was submitted on 10 Mar 2024
17 points (90.5% liked)

Technology

59135 readers
6622 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L4s@lemmy.world
L3s@fry.gs
L4s@fry.gs
enu@lemmy.world
17
Should Caddy and Traefik Replace Certbot? (www.eff.org)
submitted 8 months ago by leo@lemmy.linuxuserspace.show to c/technology@lemmy.world
11 comments fedilink hide all child comments
all 12 comments
sorted by: hot top controversial new old
[–] notannpc@lemmy.world 2 points 8 months ago

I’ve used traefik for 7 years at this point and the only time I had to think about certificates was when I blocked my servers running traefik from making DNS calls needed for the cert generation.

I’ve got 6 domains now all with certs managed by traefik. Highly recommend checking it out, especially if you’re running most things in docker.

[–] lemann@lemmy.dbzer0.com 1 points 8 months ago

I use certbot on only a single one of my oldest projects that has been going for almost a decade.

For everything else I use acme.sh because it works so well and integrates with a ton of DNS providers. The one time I had an issue, it was already fixed in a PR, so I just checked out that fixed version and used it for renewals until it was merged in.

[–] pztrn@bin.pztrn.name 1 points 8 months ago

Using Caddy for couple of years already at home, yet using certbot at job, because of requirements to use nginx as balancer.

[–] jlh@lemmy.jlh.name 1 points 8 months ago

cert-manager works really well.

[–] JoeKrogan@lemmy.world 0 points 8 months ago (1 children)

No. Not everyone uses traefik or caddy

[–] BenPranklin@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

Yeah man, that's the point of the article. Its asking the question "should everyone who isnt using them already move to them". Its not saying everyone already does.

[–] abhibeckert@lemmy.world -1 points 8 months ago (1 children)

Certbot is so problematic we still pay for most of our certificates because it’s more reliable.

I’m not sure if Caddy/Traefik is the answer but it’s clear the work should be handed over to a team with a proper focus on reliability.

[–] pastermil@sh.itjust.works 3 points 8 months ago (1 children)

Can you elaborate on this reliability issue?

[–] abhibeckert@lemmy.world 1 points 8 months ago* (last edited 8 months ago)

Certbot is supposed to automatically renew certificates. It doesn't do that reliably in my experience.

We use it on non-critical systems and every few months I need to go in and fix things... that never happens with traditional certificates - those are setup and forget.

As for the exact problems, I don't think we've ever had the same problem twice. It's always a once off thing but it's still an hour of wasted time each and every time. If it happened on a proper production system it'd be a lot more than an hour, since whatever change is made would need a full gamut of testing / reporting / etc.