Stop spreading FUD: it does not "mess with all sorts of configuration".
_Renewal doesn't touch any config files at all._ "letsencrypt-auto" puts the certs/keys under /etc/letsencrypt/keys. On renewal, new files get added. Old files are never touched. /etc/letsencrypt/live contains symlinks to the most recent files. Your webserver config uses these => its config does not need to be changed for renewal.
What you're talking about is only the initial certificate installation with "letsencrypt-auto run", and it makes a very targeted change in your Apache config. Use etckeeper if you don't trust it. If you still don't want that, use "letsencrypt-auto certonly".
(Note on server restarts: It also supports multiple methods, one of which is the webroot method, with which letsencrypt-auto does the challenge by putting a file under .well-known/acme-challenge/ of your webroot and lets your webserver handle the request, so it doesn't need to restart/replace your webserver itself.)
And about all these "minimalistic tools": I've seen one that literally did "new-cert.sh > $cert-file". If it failed (e.g. due to ratelimit, no internet connectivity, ...), it would null your old cert! Written and used by very smug people.
It wasn't intended to be FUD. The letsencrypt client needs to change the configuration of other services. This is a fact. Not everyone is happy about that, so I pointed out an alternative.
If you're happy with the official client, by all means, use it! There's nothing inherently wrong with that approach, it's just not compatible with the way I and some others prefer to do things.
EDIT in response to your edit:
> And about all these "minimalistic tools": I've seen one that literally did "new-cert.sh > $cert-file". If it failed (e.g. due to ratelimit, no internet connectivity, ...), it would null your old cert! Written and used by very smug people.
Absolutely, the minimal tools are not for people who don't know what they're doing. You absolutely would not run acme-tiny for example with write access to your actual cert that the web server is using, because any number of failure scenarios would result in downtime. That's why I specifically addressed that in the initial post you're replying to when I said: "Then it checks that the new certificate is valid, copies it to the right places and reloads the relevant services".
> The letsencrypt client needs to change the configuration of other services. This is a fact. Not everyone is happy about that, so I pointed out an alternative.
No, it doesn't NEED to. It's the most commonly discussed option, but it is not necessary. It can do the exact same "write to a folder in the webroot" mode most of the alternatives use.
(I'm not saying that there is no reason to use an alternative client, but that's not it)
> Stop spreading FUD: it does not "mess with all sorts of configuration".
It does more than you'd expect, IMO.
> letsencrypt-auto is a wrapper which installs some dependencies from your OS standard package repositories (e.g. using apt-get or yum), and for other dependencies it sets up a virtualized Python environment with packages downloaded from PyPI.
and puts the signed certificates into /etc/letsencrypt/live/excample.com/fullchain.pem . This is followed by a service nginx reload
I did not trust their automatic configuration as well so I simply configured nginx to use the keys + cert and to serve .well-known/acme from /var/www/letsencrypt/ for all my domains.
That's all. It works quite fine and if something does not work (e.g. python breaks.) such that the renewal is unsuccessful. LE will send you an email in advance (I think 30 days) so you have plenty of time to look after it.
_Renewal doesn't touch any config files at all._ "letsencrypt-auto" puts the certs/keys under /etc/letsencrypt/keys. On renewal, new files get added. Old files are never touched. /etc/letsencrypt/live contains symlinks to the most recent files. Your webserver config uses these => its config does not need to be changed for renewal.
What you're talking about is only the initial certificate installation with "letsencrypt-auto run", and it makes a very targeted change in your Apache config. Use etckeeper if you don't trust it. If you still don't want that, use "letsencrypt-auto certonly".
(Note on server restarts: It also supports multiple methods, one of which is the webroot method, with which letsencrypt-auto does the challenge by putting a file under .well-known/acme-challenge/ of your webroot and lets your webserver handle the request, so it doesn't need to restart/replace your webserver itself.)
And about all these "minimalistic tools": I've seen one that literally did "new-cert.sh > $cert-file". If it failed (e.g. due to ratelimit, no internet connectivity, ...), it would null your old cert! Written and used by very smug people.