Centralized Management


#1

Is there any solution, either through the paid premium dashboard or other means to Centrally Manage all implementations of Certify in a given environment?

If we were to use Certify for say 20 servers, I would be looking for a way to get updates on certification expiry, or ways to either add/change certificates from one interface, like other public cert providers but having it internal only. Is there such a solution out there? The dashboard UI seems to be specific to the instance, not to all instances. Thank you for your time.


#2

@bnewsond the dashboard is available to all registered users, not just paid users (it just so happens that the register link assumes you want to purchase a license). You can register directly through the app when you Add to Dashboard.

The dashboard UI will receive reports from all registered servers on your account as and when they request/renew certificates (if enabled).

Currently there is no centralised command-and-control style behaviour
(i.e. you can’t use the dashboard to tell one of your servers what to do, they just report to it). This is a possibility for the future but needs careful consideration regarding the security implications and communications requirements. We could certainly offer a central dashboard server product that you host internally if there was enough interest. I think once you get to that stage a lot of people are probably also talking about monitoring/controlling linux & windows servers together, which is obviously more work.

As an aside, user feedback on the dashboard (which is much appreciated) has been very sparse until recently, so it’s interesting that we seem to be getting more frequent enquiries from a few parties but I don’t really know what’s changed to cause that.


#3

I very much appreciate the detailed response. From what you know however, besides ceritfytheweb are there any common 3rd party solutions that fill this gap of having centralized management?


#4

The only Let’s Encrypt solution I’m aware of that handles CCS currently is win-acme: https://github.com/PKISharp/win-acme but there may be others.


#5

Got it, thank you. Hopefully later on this will change and ceritfytheweb will have a centralized dashboard. I think a lot of people would be interested in it and gladly pay the fees to use it.


#6

There’s a big update planned for the dashboard, really the challenge is finding common themes that people want to see in the functionality. I’d like to extend it to Let’s Encrypt platforms outside of Certify (certbot on linux etc) as everyone has the same set of problems (namely making sure that certs are in place and renewals are behaving as expected), but would really like some more opinions/ideas from users.


#7

p.s. I mis-read your comment regarding centralised management when I mentioned win-acme as CCS is centralised certificate storage which is of course completely different. I’m jumping between several threads!

AFAIK there are currently no centralised management GUI’s (that include Windows) for Let’s Encrypt website renewals but there may be some other products I’m not aware of. Would be keen to hear about such things if they exist. Centralised control is of great interest especially if it can include all operating systems, however management security needs to be a primary concern if sending commands back to hosts.


#8

I see, perfectly understandable. I looked around as much as I could and couldn’t find anything. I perceive that there would be a pretty big share of people interested in managing Windows/Linux LetsEncrypt certs.

Even moreso in my opinion with technologies such as Kuberentes or Docker Containers. Would you happen to know the current status of the new dashboard development? Would any of these centralized management solutions be worked on at all? Thank you for your swift and detailed responses.


#9

The current dashboard development is focused around reporting and account management and is based on the current Certify The Web software reporting, but what would you really like to see? Typically new websites have to be setup on the server first before configuring https and we currently only deal with windows/IIS deployments but it would be good to have ideas for ‘big picture’ SSL/Let’s Encrypt management. For instance one of the items we’d really like to tackle is what happen if LE disappears, and can software automatically fallback to other certificate authorities.


#10

The question of if LE goes away was one presented often to me and you’re right I completely neglected that.
Takling strictly for windows, the main complaint/request was to have a central management that can show all applied certificates for all windows servers. Showing when they expire, giving capability to auto-renew and to “provision” in the sense that we could auto-configure a windows IIS server from this central management.

Or, at the very least have something we could use that can show us an overview of all Certifytheweb implementations.


#11

Thanks, reporting everything managed by Certify is probably the simplest part, we need to make some changes to push reporting upfront on registration but that’s not too difficult.

Auto-renew is on by default for Certify managed certificates, however writing configuration back to the servers (or remotely configuring site not yet configured) is quite a bit more involved/long term.