geerlingguy / ansible-role-certbot

Ansible Role - Certbot (for Let's Encrypt)
https://galaxy.ansible.com/geerlingguy/certbot/
MIT License
793 stars 348 forks source link

Recommendation to Prioritize Snap Installation for Certbot and Deprecate Outdated Install Methods #206

Open onknows opened 10 months ago

onknows commented 10 months ago

I've noticed that the geerlingguy.certbot Ansible role currently supports package and source installation methods for Certbot. However, I propose reconsidering these options due to their limitations and potential misalignment's with the Certbot community's recommendations.

Package Install Method Concerns: When using the package install method, especially on platforms like Ubuntu 22, users often end up with outdated versions of Certbot. The Certbot community predominantly supports the Snap installation method. While third-party packages might be available in some scenarios, having Snap as the default installation method seems more aligned with current best practices.

Source Install Method Issues: The source installation approach relies on the certbot-auto script, which is no longer available or supported. This method fails to work as intended. An alternative could be to develop a custom script within this role, but it's crucial to assess its maintenance and support implications.

Given these considerations, I suggest:

  1. Making Snap the default installation method.
  2. Adding warnings or deprecating the package and source install methods.
  3. Investigating the feasibility of incorporating a custom script for source installation, if deemed necessary.

These changes should help ensure users have the most reliable and up-to-date Certbot experience.

C0rn3j commented 7 months ago

If you mind your repository package is out of date, package a newer version yourself or use a third party repository, it's not in the scope of the role to fix that for you.

I also disagree with tying this role to Canonical-controlled backend and even deprecating package installs, that's just bad, despite LE thinking it's a good idea.
The role DOES support Snap, it's just not default - https://github.com/geerlingguy/ansible-role-certbot?tab=readme-ov-file#snap-installation . If the current source scripts are broken, it would be nice to fix them.
Seeing that upstream deprecated the previous method, that one seems fun to do.

The most sane option would be to install the latest version in a venv.

https://eff-certbot.readthedocs.io/en/latest/install.html#alternative-2-pip

Notably, by NOT following the upstream documentation, which seems to suggest you wreck your system packages to get it working by means of sudo pip, which won't even work on modern distributions that enabled a safeguard against this.

funkyfuture commented 5 months ago

looking at the current instructions selection form for Certbot it's obvious that the vendor doesn't share the resentment towards Snap as many other people. so my conclusion would be that the snap based deployment should be default for platforms that aren't supported otherwise, e.g. Ubuntu 22+.

a pipx based deployment option seems reasonable and interesting to me.

github-actions[bot] commented 3 weeks ago

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.