Although we mentioned a few weeks back that so many customization options are now supported that it would be difficult to announce them all individually, the latest support for Let’s Encrypt via the Certbot installation API is such a big feature (and has been requested for many months) that we are making a specific blog post just for this.
We thought it was the perfect way to start off 2020 by announcing Let’s Encrypt support! 🙂
We have been testing it for several weeks to ensure it was not only stable implementation, but that it received a consistent A+ grade on the SSL Labs testing tool as well.
Keep in mind that the primary goal of SlickStack will always be simplicity and stability. We want it to “just work” so that various integrations can easily be added as desired, but that core features are extremely stable. This means that OpenSSL will always be the recommended SSL certificate, unless at some point in the future SSL validation becomes A LOT easier than it is now. While Let’s Encrypt has done a decent job at making SSL free and (kind of) easy to install, it is still a very long way from being truly simple and easy to setup. Therefore OpenSSL, since it is included by default in both Ubuntu, and Nginx, and since it does not require any third party CA signing, it will remain our preferred SSL method. We are simply very lucky that CloudFlare’s free SSL proxy “signs” the OpenSSL self-signed certs because no other SSL proxy services do this currently… we are hoping more will in the future, but not yet.
Thus, with all this in mind, SlickStack considers Let’s Encrypt to be a “backup” SSL method… or a temporary SSL method for testing and development. We expect and assume that before you generate a Certbot SSL on your domain, that CloudFlare is already activated on your domain. In this manner, OpenSSL + CloudFlare is required to be setup prior to requesting Certbot so that Certbot can properly verify your domain ownership via /.well-known/ before proceeding… since SlickStack is HTTPS (port 443 only) there is no way around this currently.
In the future, we plan to support the DNS verification API from Certbot. That said, again, OpenSSL and CloudFlare is still our recommended default.
Thanks for your patience and all your feedback… let us know if any issues on our repo, or Spectrum Chat … etc.