Post AlLflxSHzXiYzzmwKG by galdor@emacs.ch
 (DIR) More posts by galdor@emacs.ch
 (DIR) Post #AlLflxSHzXiYzzmwKG by galdor@emacs.ch
       2024-08-22T12:10:42Z
       
       1 likes, 0 repeats
       
       ACME is much better than managing TLS certificates manually, but the DNS challenge is a serious wart:- Propagation time is painful (yes it only applies to the first startup, but no there is no way to know how much time it is going to take and yes it might not be fast enough for Let's Encrypt).- It makes you store credentials for your DNS provider on your server. Most of them are not zone-specific, making it a serious security issue.- Oh also if you have your own DNS servers (e.g. NSD), good luck automating the creation/deletion of the TXT records (I hope you like regular expressions).Infortunately it is the only way to generate wildcard certificates.I only support HTTP challenges for the time being, will get to DNS when someone comes at me with a real use case (hint: those usually come with a budget).