alt Hacker NewsForcing automation would be fine if the default software package (certbot) was any good but from my experience certbot is simply not fit for purpose. Certbot doesn't support the industry standard PKCS#12 format, which makes it extremely brittle for anyone using a Java based webserver. Instead it uses the non-standard PEM format which requires conversion before usage. That conversion step breaks all the time and requires manual intervention. It's ridiculous.
Replies
PEM is standardized in RFC 7468, from 2015 [1]. PEM has been an industry standard for a decade.
I hear ya. I’m also not fond of certbot and other existing clients.
The best solution I’ve found so far was to implement a custom cert manager using the formidable acmez library.
at this point PEM is more standard and prevalent than pkcs#12
PEM is very standard. Calling `openssl pkcs12` also should not be hard; IDK about certbot, but there is a hook for acmetool (which I use) that does just that for you: https://github.com/dlitz/acmetool-pkcs12-hooks