And let's encrypt...
Ok, we continue with the discussione accidentally started yesterday with the comment related to SSL certificates. Now, the more attentive realized that I have now a Let's Encrypt certificate. This because I don't trust much the provider and I want to cover my ass before it's too late.
So... what's my problem with Let's Encrypt?
We start with a simple note: I am a bit weary of "free" stuff. Because somebody sooner or later has to pay. And base something on something 'free' has always some risk. Even something like Let's Encrypt, that produce SSL certificates, that are basically files and as such the production cost is negligible, they still have associated costs. Somebody has to pay for the infrastructure and probably there is maintenance involved. I understand that and so why there are provider that are selling certificates. I have no problem in paying what I think is a "faire" price (I am also a supported of Let's Encrypt), because I understand that there is work behind it.
The first "problem" is that the default "client" that is suggested to use (certbot) is a python script that DOES NOT WORK on my server. Now, I have no problem with any language, most of the time the problem is not the language, is the developer. But in the case of python, I really like languages where I can decide how I want to indent my code, so if I can, I leave python in its nest.,
Why the client doesn't work? I don't know. Maybe because whoever made it didn't tested it properly and frankly, I have no intention of debugging it.
The second "problem" is that, until recently, they didn't supported "wildcard" certificate, that is what I use, so that was a blocking problem for me. Now they do support them, but the "security check" require a change in the DNS and this is a problem because the DNS I am using doesn't allow for quick changes, so in most cases the "check" fail and I have to restart everything from scratch.
The third "problem" is that the certificates have a short lifespan, only 3 months. Now, a certificate that never expires have more problems from a security point of view, but between nothing and the eternity there are several shades of grey. Until a few years ago it was possible to get certificates with 3 or 5 years validity, recently they shortened the life to 1 year. Now, I'm not completely convinced that this is for 'security' and not to simply get more money (or more often) but what the hell.. But 1 year is 4 times 3 months. So if we put together this with the previous problem, you understand why I am not a real fan of spending half a day to babysit the renewal process every 3 months. Again: I don't get any money from this.
That's why I'd really like to get a certificate from an accredited company that does the checks via e-mail and doesn't require me to do weird things to have a fucking client that doesn't want to work to cooperate.
So... why now I have a certificate and how did I do?
As said at the beginning, I don't really trust my actual provider, since they seems a bit to anxious of selling things that are a lot more expensive, so I decide that I want a "plan B" before I commit to "plan A". So I installed a vm on my laptop (thanks to Windows that now provide an hypervisor included in the system) and spent half a day messing around with different "clients" until I managed to make one work. And just for the records, I ignored python and went for Perl and Bash.
Now let's see what the provider does, because I'd rather pay one provider than repeat this mess each 3 months.
Davide Bianchi
01/09/2021 13:06
