| 13 Jun 2023 |
 emily | I suspect the majority of people don't have any of the special lego options set. but the biggest breakage would be DNS challenge setups, esp. in terms of provider availability. | 20:29:15 |
 m1cr0man | In reply to @emilazy:matrix.org
I suspect the majority of people don't have any of the special lego options set. but the biggest breakage would be DNS challenge setups, esp. in terms of provider availability. yeah lego is pretty much unmatched for DNS support | 20:29:33 |
| emily | Caddy/certmagic/etc. do actually have a backwards compatibility layer for lego's providers | 20:29:34 |
| m1cr0man | oh? | 20:29:43 |
| emily | and probably the most first party DNS providers outside of lego too (https://github.com/libdns) | 20:29:51 |
| m1cr0man | oh. wow | 20:30:34 |
| emily | https://github.com/caddy-dns/lego-deprecated is the shim | 20:31:07 |
 Arian | I think cert-manager comes close. But it requires Kubernetes | 20:34:12 |
| Arian | It does all the queueing and concurrency stuff | 20:34:49 |
| m1cr0man | ugh jeez | 20:37:19 |
| emily | I think Caddy would be an easier sell than Kubernetes at least :P | 20:40:27 |
| emily | (but also I don't think we should rush into any major change; we've had this setup - which is janky in many ways because of lego's insufficiencies but works fine in most cases and is much better than the old simp_le one - for years, we can afford to stew on what we actually want to do and how much it would improve things for us. I'm personally sick of lego but maybe we can make it work and even if we can't it will pay to do a lot of assessment and testing of any potential replacement before making any moves. the worst thing we can do is tell people we're making things better with some one-time transition pain and then we just get a new set of problems or even end up migrating again.) | 20:45:23 |
| emily | (in terms of "ACME quality of implementation and best operational practices" I think Caddy has very few competitors and would solve a lot of our problems; we can start up a single long-running daemon and get rid of basically all our gross shell logic. but it's not all sunshine and roses; for one thing, using DNS providers would require us to have a story for Caddy modules (though we could probably just build a mega-ACME-Caddy with all the first-party providers out of the box), and also you can certainly do better in terms of hardening (Go is memory safe, but AFAIK there's no privilege separation going on: it's possible that exploits could leak private key material through confused deputy or Go runtime exploits)) | 20:48:06 |
