On ti, 02 helmi 2021, Peter Boy wrote:
Am 01.02.2021 um 17:46 schrieb Matthew Miller mattdm@fedoraproject.org:
recommending installing certbot via snap. While it's good that snap works on Fedora systems, it's not the best experience
It’s really a bad recommendation, not only regarding Fedora but also other non-debian distributions as SuSE Archlinux, etc.
The main problem in not only
most particularly that Fedora sysadmins do not have any experience with snap
(https://pagure.io/fesco/issue/2570)
Snap fiddles with central system configurations, such as the order of libraries in the system path, which can and does lead to all kinds of conflicts introduced by third-party snap packages.
The stability of Fedora Server is based precisely on the fact that all packages go through the same Fedora QA process. We must not compromise on this.
And by the way, what they specifically have in mind in relation to the Fedora letsencrypt package. I can't recall any problem of the kind that the letsencrypt project cites there.
We (FreeIPA) have support for ACME in FreeIPA 4.9 series which are part of Fedora Rawhide since last year and yesterday were submitted as updates to Fedora 32/33. This is a server-side ACME support but we are testing it with Fedora-provided certbot and mod_md, the two ACME clients we have in Fedora. These tests are part of our CI testing process upstream.
Fraser Tweedale blogged along the way of adding ACME support on how it works and how integration is done here: https://frasertweedale.github.io/blog-redhat/tags/acme.html
Here is how we test ACME. Note that this is working against our own ACME implementation, not Let's Encrypt, but it is a comprehensive test suite for ACME clients in Fedora and RHEL/CentOS Stream: https://github.com/freeipa/freeipa/blob/master/ipatests/test_integration/tes...
We had ups and downs with these tests but the client side mostly works just fine. As a side note, we are planning to reuse CI pipelines which we run for RHEL builds and in FreeIPA upstream for testing Fedora updates. With Fedora 34 we would be able to test ACME clients routinely.
We are also working on a better flow for custom ACME CA discoveries, see an Internet Draft proposal by Fraser: https://frasertweedale.github.io/blog-redhat/posts/2020-11-13-acme-service-d...
Finally, our prefered tool to manage certificate renewals on Fedora/RHEL clients is certmonger. It has a pluggable infrastructure and can integrate with almost anything. For example, there is (incomplete) plugin that integrates certbot and certmonger to issue Let's Encrypt certificates for FreeIPA-enrolled clients using dns-01 challenge: https://github.com/antevens/cerlet