Hi Harlan, [Cc'ing Debian Go team]
On Thu, Mar 17, 2016 at 11:34:12PM -0400, Harlan Lieberman-Berg wrote: > The Let's Encrypt team might be able to help you get sponsorship for > this. Quick question -- besides the implementation language, what are > the main differences between this tool and acme-tiny? That would be great! What are your thoughts on switching the Maintainer of the acmetool package to the Debian Let’s Encrypt team? While the package uses the dh_golang helper and fits well within the pkg-go team from a developer perspective, I expect user bug reports to require mostly knowledge of ACME and the Let’s Encrypt service. Briefly, acmetool lies half-way between python-letsencrypt and acme-tiny. Like python-letsencrypt and unlike acme-tiny, acmetool manages certificates in a directory hierarchy. Like acme-tiny and unlike python-letsencrypt, acmetool’s sole purpose is to acquire TLS certificates. acmetool is similar to “make”: If all certificate requirements are met, acmetool will do nothing. For each desired certificate, the user runs “acmetool want” with a list of hostnames, which creates a config file and acquires the certificate. Then acmetool may be rerun without arguments to renew certificates that are close to expiry. acmetool’s YAML-based minimal configuration files are well structured and documented, which makes them suitable both for editing by hand and automatic configuration management. acmetool fully supports running as either root or non-root user, and implements various methods to complete challenges such as webroot mode and HTTP proxy mode. acmetool is silent by default and will only output errors, which makes it ideal for use in cron jobs. Please take a look at acmetool's user guide: https://hlandau.github.io/acme/userguide For the Debian package, I have written a README.Debian that provides some hints on using acmetool and that is hopefully generally useful: https://anonscm.debian.org/cgit/pkg-go/packages/acmetool.git/plain/debian/README.Debian Overall, my initial impression is that acmetool comes closest to “set it and forget it”. Since certificate renewals are only necessary every so often, time will tell whether the “forget it” part is accurate. Regards, Peter
