Manjaro website off-line again due to lapsed certificate

This comment made a lot more sense to me once I realized we weren't talking about an aggressively marketed weight loss drug.

The word "legacy" doesn't seem needed there.

Can you explain it for those out of the loop?

I went from Manjaro to EndeavourOS. Great experience and I don't see it changing anytime soon. The community is healthy and the project well managed.

Try CachyOS

"I use arbitrarily complex software that has a rapid SDLC to obfuscate the issue with the fact that we have to have military grade encryption for displaying the equivalent of a poster over the internet".

The state of our industry is such that there will be a lot of people arguing for this absurdity in the replies to me. (or I'll be flagged to death).

Package integrity makes sense, and someone will make the complicated argument that "well ackshually someone can change the download links" completely ignoring the fact that a person doing that would be quickly found out, and if it's up the chain enough then they can get a valid LE cert anyway, it's trivially easy if you are motivated enough and have access to an ASN.

This is like the third or fourth time this has happened to them.

The Manjaro team has also caught flak for a bunch of other stuff. There's a page or two our there that detail the issues, which I'm too lazy to link here.

But let's just say this isn't their first rodeo.

Note that the certbot instructions are to renew 2x a day with up to one hour of randomized delay; using @monthly as suggested here will result in occasional outages if the "once a month" renewal attempt fails in two consecutive months due to transient peak service blips (such as those caused by '@monthly' hardcoding for month X day 1 time 00:00 often UTC without randomization), especially as Let's Encrypt drops their lifetimes to 45 days over the next 2 years, which would result in certificates avoidably expiring in production. Please instead use certbot's recommended 2x/day renew with a random sleep of up to an hour before initiating each attempt; at least one of cronie, at, bash, python, perl random sleep methods are available on most* platforms, and are offered up by the crontab-command generator at https://certbot.eff.org/instructions .

* There is a stack overflow page from 2016 filled with solutions for Busybox, so I'd say 'all' rather than 'some' but someone out there is hosting a webserver on a potato, so better safe than sorry.

It's not uncommon for a Distro to point NetworkManager or whoever to check for connectivity using their own servers, Arch does it themselves[0].

[0] ping.archlinux.org

Certbot would be like the supply chain attack holy grail. Not sure I'd want software like that running unmonitored automatically with root privileges.

Respectfully we have had Certbot for 11 years now.

Paying for certificates..? Manually copying cert files? Man, this reads like it was 2010 or something. Best of luck, but I don’t know why I wouldn’t just use acme.sh and systemd timers instead of this.

You're developing "certbot, but it's paid and sends private keys around the network instead of generating the csr locally"? Why? Who's the target audience? Platforms that can't run certbot, or any of the infinite amount of other acme clients, most likely won't be able to run your agent as well, so what's the value add vs just running a regular, well-defined (and free!) acme client and just moving the cert over manually?

Meanwhile Caddy exists