Open scoates opened 6 years ago
Yeah, I'm okay with this.. I think.
The auto-renewing of LE has always been flaky at best, the python-LE script it all relies on is hacky as heck.. and now ACM JustWorks and is also free. The only thing is that it requires using Route53, which doesn't support all the new TLDs as I recently discovered.
Few things here:
zappa certify
this would certainly streamline things. It's also necessary to use R53 for apex/naked domains if you need an ALIAS
record.Yeah. R53 doesn't care what you call your hosted zone:
+1 When I tried to implement supporting Multiple Domains, refactoring the code was made more complicated with the LE, and I was really wanting to just remove it all together. I think if LE is removed, it would make my changes for multiple domains cleaner.
There are a bunch of issues related to Let's Encrypt, and some undesired behaviors in
zappa certify
related to Custom Domain Names.When Zappa started, there was a need for Let's Encrypt (LE). Amazon Certificate Manager (ACM) was either young or didn't have good support in API Gateway, and there may or may not have been support for wildcard certs in ACM back then.
But today, given that we're in AWS land, is there anything that Let's Encrypt still offers us that ACM does not?
The only thing I can think of is a scenario where the developer might have or need access to the certificate's private key, but I think that's still manageable by importing it into ACM and supplying the certificate ARN in
zappa_settings
. Please correct me if I'm wrong.I propose that we drop LE support and focus on ACM. This code needs some attention, and avoiding the branched logic will help keep it clean.
(I don't know the actual plan for branching Zappa out to non-AWS environments, if one exists, but that could maybe be a good case for keeping LE support.)
Discuss? (-: