mxsasha
commented
4 months ago Additional: certbot should refresh the certificate if the list of additional domains changes, to account for removal of hostnames.
Open bwbroersma opened 6 months ago
mxsasha
commented
4 months ago Additional: certbot should refresh the certificate if the list of additional domains changes, to account for removal of hostnames.
bwbroersma
commented
4 months ago Discussed with @aequitas & @mxsasha: the current behavior of a two-stage request is desired, note to perform the Live tests as specified in the documentation after a deployment (linked in Deployment > Testing your installation).
After thoughts: could also change from two-stage to optimistic approach and explicitly report the FAILED_DOMAINS, and have an overwrite / fallback to root domain only, if this of course doesn't add endless complexity to the shell scripting.
Also discussed the alerting fatigue of the (not yet setup) Let's Encrypt certificate alerts. And concluded that a full endpoint check on the deployed certificate is best. I noted I liked the cert_check of mailcow, note they also have a acme_check which alerts on ACME errors in the log, might be useful too. Related:
Currently the setup is a single 4K RSA certificate from Let's Encrypt (LE): https://github.com/internetstandards/Internet.nl/blob/118b8b87fa9d1b6f0898bf16de9027012d403347/docker/webserver/certbot.sh#L45-L60
Also, at first a certificate for only the main domain is requested (to prevent blocking if one of the subdomains is not configured), but this gives an extra certificate, even if the setup is done correct: https://github.com/internetstandards/Internet.nl/blob/118b8b87fa9d1b6f0898bf16de9027012d403347/docker/webserver/certbot.sh#L36-L38
It could be improved for increased support, better performance and robustness by:
Cons: