CertMaggedon…
Recently, Octopuce suffered a collateral damage of the Letsencrypt Root CA expiration. We discovered, hours and days after the expiration, that no Mac Os X < 10.12.1 and most Android < 7.1.1 will not be able to access the Internet properly, which was deemed unacceptable by us: being compatible with older devices is a must have in a shrinking world where we have to be more mindful of our ecological footprint. Throwing out a perfectly working computer because it can’t access most websites, because of a single missing file in a certificate repository, is a shame.
As a result, we decided to migrate to ZeroSSL, another certificate authority that uses UserTrust root CA, which will expire in 2038. Plenty of time to be prepared! ZeroSSL is not free, contrary to Letsencrypt, but we can generate as many 90-days certificates as we need for ~€100/year, or as many wildcard as we need for ~€500/year.
We also had to migrate away from Certbot, the ACME client of Letsencrypt, because this code relies on a lot of different python librairies that are not always available on our (sometimes old) Debian, especially because Certbot requires a recent version of Python… We decided to use Acme.SH, an ACME client written in plain shell, only depending on wget or curl to query the ACME API.
Sadly, acme.sh is currently not packaged in Debian (as far as we could tell) …
Packaging ACME.SH on Debian
At Octopuce, we like to contribute to free software when we can, and this was a nice case of « this wonderful software deserve some packaging » ;) A few hours later, we took the code of Maarten den Braber on Github and improved it to build a Debian Package of ACME.SH. This is a standalone package only depending on wget or curl, which then can be installed on almost all ubuntu, debian, or other deb-based distribution quite easily!
This package is currently not distributed on our repositories, but will be soon This package is now available on our internal repository of debian packages at https://debian.octopuce.fr/octopuce/ We advise you to use it with a bit of caution: it’s still in beta. That said, we already used it to generate 6429 certificates in 48 hours ;)
If you have any question bugreport or suggestion regarding this package, feel free to open an issue on the project on github, or send a mail to benjamin at octopuce.fr.