When working on other things, I found that our coverage tests were failing on master on macOS. I quickly fixed this in certbot/certbot#7972, but there's nothing stopping us from hitting this problem again in the future. I think we should avoid this because it can be a confusing/frustrating experience, especially for new Certbot developers, to investigate test failures on

Is your feature request related to a problem? Please describe.

This way we can ensure cert-manager certs can't be used to create intermediates

Describe the solution you'd like

Add to CertificateSpec struct.

Describe alternatives you've considered

Manually creating a CA cert.

/kind feature

I cannot see any docs on how the OCSP feature is suppose to work. Please document it. Thanks.

Hi,
not a big issue but as you asked to contribute to the documentation with an CLI example I thought it's worth sharing mine here so one of you with permissions could update the page https://go-acme.github.io/lego/dns/dode/:

export DODE=1234567890abcdefghij lego -d myserver.mydomain.com -a --dns dode --email its.me@yahoo.com run

In case the local DNS server (e.g. 10.1.1.1) is not rea

Preface: I am not an expert in encryption, so sorry for any inaccuracies with how I am describing the issue here.

In the documentation, it states:

// Note: CBC and ECB modes use PKCS#7 padding as default

Is it possible to configure what padding is used? I am working with a system where they are not expecting padding. Is that something that even makes sense/is possible?

To encourage people to use wss/tls encryption, we should make it really simple for people to implement a signed cert using letsencrypt.org (which should be going into general availability in the next couple of months). Perhaps direct automatic integration (since that's one of the goals of Let's Encrypt), but at least, we should document a straightforward process for using it.

The process is docum

This basically the same as certbot/certbot#1215 but for acmetool. I want to change the contact e-mail for accounts created by acmetool.

I just tried to "import" the acmetool account to certbot but failed doing it. Is there any documentation on how to do this? Is it even possible?

The tool should be smart enough to support reading pkcs8 private keys.

Ideally, we should support writing pkcs8 private keys if the user desires.

https://pkisharp.github.io/ACMESharp-docs/User-Guide.html

Indicates that the ACME Vault is to be initialized with the function Initialize-ACMESharp which PowerShell complains doesn't exist. After some googling around and head scratching I discover the quick start guide lists a different function Initialize-ACMEVault. That works and I was able to continue setting up ACMESharp. We get the doc

Example

The sed commands throw the error because macOS or BSD systems require a more specific -i flag.

A solution may be found here: https://stackoverflow.com/questions/7573368/in-place-edits-with-sed-on-os-x

Beyonce said it best. If you like it then you shoulda put a test on it. Scenarios I like:

• Cert is created with right DN
• Cert is stored to X509Store after creation
• Cert request is not resubmitted
• Handles failures gracefully
• HTTP challenge/response works as expected
• Certificate renewal when cert is about to expiration

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and

the dca study guide has recently updated (march 2020). there is now kubernetes involved.
is it possible that you could update the prep guide according to the study guide?

% certigo verify --name=REDACTED -f pem server2019.csr 
panic: runtime error: index out of range

goroutine 1 [running]:
github.com/square/certigo/lib.VerifyChain(0xc62e38, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7ffc75d487a2, 0x18, 0x0, 0x0, ...)
        /home/meta/go/src/github.com/square/certigo/lib/verify.go:129 +0x8e3
main.main()
        /home/meta/go/src/github.com/square/certigo/main.go:183 

The config file is currently mandatory. Some parts of cashierd can be configured via environment variables (I'm really not sure why I did this) but ideally the config should be entirely settable using cmdline flags and the config file should be optional.

I am using v0.3.1 of kube-cert-manager and running GKE on a 1.6.4 k8s cluster.

When I set up my ingress to proxy requests from /.well-known/acme-challenge/* to my kube-cert-manager-service and create a new certificate, LetsEncrypt fails to communicate with the server and find the challenge.

On the [Providers Section](https://github.com/PalmStoneGames/kube-cert-manager/blob/v0.3.1/docs/

I spent a lot of time at work tracking down an issue where certificates were being generated with the wrong public key, not the one given in the CSR. After some intense debugging, replacing the OpenSSL binary with a script that logs stuff, etc - I determined that it was using the -signkey option, which (as you know) is for self-signed certificates, and OpenSSL was silently replacing the CSR key

So, Ubuntu (18.04 at least) installs a cronjob and makes use of renewal-hooks directories. I can't find much documentation about it, but there is a bug report here: https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1706409

There is some documentation on about the renewal-hooks directories:
https://certbot.eff.org/docs/using.html#renewing-certificates

I'm thinking about how I can