Certbot Renewalability Status And Adding Its Monitoring

Discussion in 'Developers' Forum' started by ahrasis, Mar 9, 2021.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    1. I would like to know whether ISPConfig will keep using certbot (so far still the official LE client) for another 3-5 years time or will drop it anytime sooner, since acme.sh is now ISPConfig official LE client?

    2. If former, would it be appropriate to propose ISPConfig to add a monitor script using certbot renew dry-run command to show whether there is faulty domain that may cause renewal failure? I think this will benefit admin in monitoring his ISPConfig server.

    I noted that acme.sh has no equivalent to dry-run though it has test feature which is deployable rather than simply checking like dry-run.
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Is there any advantage to dry-run vs actually trying the renew and printing the error when it falls? (Doesn't hit request limits or something?)
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes and as mentioned, so admin may fix errors for domains in his ISPConfig server logged by certbot renew dry-run.

    Or are you suggesting to simply take from the certbot renew command logs that run every night? In that case, I guess, whichever is better.
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I don't think we will remove support for it, but we will encourage users to use acme.sh. It would be nice if we could install both in the future and when a domain is ready for renewal, the client is switched from certbot to acme.sh (this can't happen all at once due to the rate limits). If such a function exists for a longer period of time, we might remove support for it (or at least we will not actively support it).

    We could do that, and detect warnings automatically.

Share This Page