Cert Management Improvement Project (C-MIP)

[ohemorange]

Based on previous discussions (#3587, #2071, #338), we should have an improved overall strategy for managing certs. This looks something like:

Step 1. list-certs command
Step 2. Specify canonical {archive, live} directories in conf file
Step 3. --use-lineage-name
Step 4. --set-lineage-name
Step 5. --use-lineage-name , "did you mean" based on filenames and such if ambiguous

Discussion items:
A. What should we call the canonical selector that I have temporarily termed "lineage-name"?
B. Where does this canonical name live?
Options for this include:

• as a line item in the conf file, whose name does not matter
• as the filename of the conf file, and document this choice.

I am personally for the latter, based on @schoen's observation that the file system then ensures uniqueness.

cc: @pde @bmw @cowlicks @PaulSD @yaegashi

[schoen]

I like calling it a lineage name and having it be the name of the file in /etc/letsencrypt/renewal, less the .conf suffix. (But I think that's the status quo, as nearly as we have one.)

I was hoping --use-lineage-name could just be called --lineage, although as @pde and I mentioned earlier today, it might be extra-confusing that the existing -d can mean both "apply this action to the lineage that has (at least) these domains" and "make this lineage have these domains". So it may be helpful to be sure --use-lineage-name and --set-lineage-name are very clearly different from one another.

[ohemorange]

I would like to amend step 2 to read:

Specify archive directory along with existing {cert, privkey, chain, fullchain} files in conf file.

This will remove dependence on lineage name in filepaths while maximizing the flexibility users have for specifying locations of files they plan to serve.

[ohemorange]

Update to step 2: Print a helpful error message if we are having trouble with the archive directory.

From @pde:

5:43:41 PM - pdeee: […] think all of these cases can be handled by this algorithm:
5:43:49 PM - pdeee: if your live directory doesn't exist, make it
5:44:00 PM - pdeee: if your live directory has broken or outdated links, fix them
5:44:52 PM - pdeee: (using the relpath function Brad just linked to)
5:47:07 PM - pdeee: Probably if the archive directory in the renewal conf file has been edited, and the thing it points to doesn't look like an archive, we should just error out rather than trying to fix things
5:47:23 PM - pdeee: But make the error helpful

[peterthomassen]

It would be nice if --set-lineage-name would allow any reasonable string (not just domain names).

Reason: In our use case, there's one certificate per virtual host (= FTP account), and domains sometimes come and go. In these cases, I'd like to update the certs on a per-user basis, and use the FTP user name as the lineage name. This would simplify things a lot.

[ohemorange]

@peterthomassen that's a reasonable goal. Would "any reasonable string that is a valid filename" be acceptable?

[peterthomassen]

@ohemorange Yes, that's what I meant. Of course nothing non-printable etc. :-)

[jvanasco]

Just noting my prior suggestion in #2880 to generate a plaintext .txt file that lists the domain names and signed/expires data alongside the certs. that would allow for instant inspection and even grep'ing the filesystem.