> If you only have shell on your servers then it is time to start looking for a new job.
Perhaps you wish to have "real" certs on appliances like F5s and Isilons (FreeBSD-based) where you can't install extra stuff, but where curl and openssl (and bash/zsh) are present.
Or perhaps you want to run simple software that you can actually audit. While "over a thousand lines of bash" may take a little while to examine, good luck auditing Zope, which is what certbot pulls in as a dependency:
Here we are talking about a lightweight C executable though that doesn't have those dependencies. You are also not limited to provisioning certificates on appliances as well, and in those cases I don't think have a thousand line bash script offers anymore security (probably less) than a full-featured C program.
At my last job I ran an Isilon: I could upload a cert for the HTTP server via the web UI, but there was no ACME client. I could SSH in, drop dehydrated and have it work because all I needed was a shell, curl, and openssl.
Similarly with F5: there is (was?) no native ACME client (at least a few years ago when I first looked at it). So I download dehydrated and used various CLI interfaces to schedule automated runs and importation of the certificates.
There was no pre-compiled binary, and no compilers, on either system, and so talking about a "lightweight C executable" is non-sensical. Further, even if we (managed to) compiled things off-host, when we did an OS upgrade on either system, a whole bunch of libraries would change and we'd have to (remember to) re-compile. There is no such worry with a shell script.
If you want to have ACME-fetched certs on a general computer system, then compiling a C program (large or small) is an option. But there are scenarios where compiled/compiling C programs is not an option, and you telling me otherwise when I have personal experience of these situations takes some chutzpah.
I wouldn't be offended. Many people including me have personal and work experience in this area as well. No one is saying you're wrong, but even you acknowledge there are other ways to upload certificates.. usually involving an API as well. If you want to run unchecked third-party 1000+ line bash scripts on production appliances, by all means go right ahead.
> If you want to run unchecked third-party 1000+ line bash scripts on production appliances, by all means go right ahead.
Again, I have a better chance at reading all the code of dehydrated (which I have, in fact, done), then reading all of the Python code that certbot pulls in via dependencies on Ubuntu/Debian.
Perhaps you wish to have "real" certs on appliances like F5s and Isilons (FreeBSD-based) where you can't install extra stuff, but where curl and openssl (and bash/zsh) are present.
Or perhaps you want to run simple software that you can actually audit. While "over a thousand lines of bash" may take a little while to examine, good luck auditing Zope, which is what certbot pulls in as a dependency:
* https://packages.debian.org/bullseye/python3-certbot
* https://packages.ubuntu.com/jammy/python3-certbot