abhibeckert@lemmy.world
on 10 Mar 2024 22:13
nextcollapse
Certbot is so problematic we still pay for most of our certificates because it’s more reliable.
I’m not sure if Caddy/Traefik is the answer but it’s clear the work should be handed over to a team with a proper focus on reliability.
pastermil@sh.itjust.works
on 11 Mar 2024 00:50
collapse
Can you elaborate on this reliability issue?
abhibeckert@lemmy.world
on 11 Mar 2024 10:57
collapse
Certbot is supposed to automatically renew certificates. It doesn’t do that reliably in my experience.
We use it on non-critical systems and every few months I need to go in and fix things… that never happens with traditional certificates - those are setup and forget.
As for the exact problems, I don’t think we’ve ever had the same problem twice. It’s always a once off thing but it’s still an hour of wasted time each and every time. If it happened on a proper production system it’d be a lot more than an hour, since whatever change is made would need a full gamut of testing / reporting / etc.
jlh@lemmy.jlh.name
on 10 Mar 2024 22:16
nextcollapse
cert-manager works really well.
JoeKrogan@lemmy.world
on 10 Mar 2024 22:24
nextcollapse
No. Not everyone uses traefik or caddy
BenPranklin@lemmy.world
on 11 Mar 2024 22:22
collapse
Yeah man, that’s the point of the article. Its asking the question “should everyone who isnt using them already move to them”. Its not saying everyone already does.
Can confirm that acme.sh is a great option. Way better support of many DNS APIs than Certbot, including easier setup of wildcard certificates. Personally moved to this when Certbot’s ability to do RFC2136 (dynamic DNS method that many DNS servers support) was seriously lacking, and never looked back.
notannpc@lemmy.world
on 11 Mar 2024 01:12
nextcollapse
I’ve used traefik for 7 years at this point and the only time I had to think about certificates was when I blocked my servers running traefik from making DNS calls needed for the cert generation.
I’ve got 6 domains now all with certs managed by traefik. Highly recommend checking it out, especially if you’re running most things in docker.
MaggiWuerze@feddit.de
on 11 Mar 2024 09:08
collapse
Traefik is a godsent. Just build your services with compose, add a few labels and most services work directly. If a service needs additional headers or whatever, that’s just more labels but traefik takes care of it all.
Especially the certificate function makes the whole deal so much more comfortable
lemann@lemmy.dbzer0.com
on 11 Mar 2024 02:26
nextcollapse
I use certbot on only a single one of my oldest projects that has been going for almost a decade.
For everything else I use acme.sh because it works so well and integrates with a ton of DNS providers. The one time I had an issue, it was already fixed in a PR, so I just checked out that fixed version and used it for renewals until it was merged in.
pztrn@bin.pztrn.name
on 11 Mar 2024 02:27
nextcollapse
Using Caddy for couple of years already at home, yet using certbot at job, because of requirements to use nginx as balancer.
megaman@discuss.tchncs.de
on 11 Mar 2024 21:02
collapse
I started out using certbot, but once i needed a reverse proxy i found caddy. I was confused at first at how to set up the certificates for caddy, but it told me it would just work and my sites have the https and the little lock, so i guess it is just magic!
Have found caddy to be generally easy. I think first starting with it took a bit more to figure out, but it does work well
threaded - newest
Certbot is so problematic we still pay for most of our certificates because it’s more reliable.
I’m not sure if Caddy/Traefik is the answer but it’s clear the work should be handed over to a team with a proper focus on reliability.
Can you elaborate on this reliability issue?
Certbot is supposed to automatically renew certificates. It doesn’t do that reliably in my experience.
We use it on non-critical systems and every few months I need to go in and fix things… that never happens with traditional certificates - those are setup and forget.
As for the exact problems, I don’t think we’ve ever had the same problem twice. It’s always a once off thing but it’s still an hour of wasted time each and every time. If it happened on a proper production system it’d be a lot more than an hour, since whatever change is made would need a full gamut of testing / reporting / etc.
cert-manager works really well.
No. Not everyone uses traefik or caddy
Yeah man, that’s the point of the article. Its asking the question “should everyone who isnt using them already move to them”. Its not saying everyone already does.
.
Those look some really cool options! I might end up using one of these for my environment.
Can confirm that acme.sh is a great option. Way better support of many DNS APIs than Certbot, including easier setup of wildcard certificates. Personally moved to this when Certbot’s ability to do RFC2136 (dynamic DNS method that many DNS servers support) was seriously lacking, and never looked back.
I’ve used traefik for 7 years at this point and the only time I had to think about certificates was when I blocked my servers running traefik from making DNS calls needed for the cert generation.
I’ve got 6 domains now all with certs managed by traefik. Highly recommend checking it out, especially if you’re running most things in docker.
Traefik is a godsent. Just build your services with compose, add a few labels and most services work directly. If a service needs additional headers or whatever, that’s just more labels but traefik takes care of it all. Especially the certificate function makes the whole deal so much more comfortable
I use certbot on only a single one of my oldest projects that has been going for almost a decade.
For everything else I use acme.sh because it works so well and integrates with a ton of DNS providers. The one time I had an issue, it was already fixed in a PR, so I just checked out that fixed version and used it for renewals until it was merged in.
Using Caddy for couple of years already at home, yet using certbot at job, because of requirements to use nginx as balancer.
I started out using certbot, but once i needed a reverse proxy i found caddy. I was confused at first at how to set up the certificates for caddy, but it told me it would just work and my sites have the https and the little lock, so i guess it is just magic!
Have found caddy to be generally easy. I think first starting with it took a bit more to figure out, but it does work well