Nginx introduces native support for ACME protocol

Original Article ↗ Hacker News Discussion ↗

Reactions to nginx’s native ACME support

  • Many welcome “one less moving part” versus running certbot or other clients separately.
  • Several say they’ll stick with existing nginx+certbot setups until nginx’s feature matures and supports more challenge types.
  • Some consider the feature redundant if they already use a multi-purpose ACME client for non-HTTP services (mail, XMPP, internal apps).

Comparisons with Caddy, Traefik, Apache, Angie, HAProxy

  • Caddy is repeatedly praised for trivial automatic HTTPS, minimal config, and sane defaults; several people migrated from nginx mainly because of this.
  • Critiques of Caddy: harder for “non‑happy‑path” configs, plugin management and updates, past design decisions, and documentation gaps for advanced use.
  • Traefik is liked for Docker/Kubernetes label-based config, but called slower and more resource‑hungry; its single‑API‑key DNS limitation is a pain.
  • Apache’s mod_md and HAProxy’s newer ACME support are noted as existing alternatives.
  • Angie (nginx fork) already has ACME with DNS‑01 and is suggested for those needing wildcards now; freenginx is mentioned for those wanting a more “original” nginx.

HTTP‑01 vs DNS‑01, wildcards, and internal services

  • Current nginx module supports only HTTP‑01; many commenters say DNS‑01 is the real prize:
    • Needed for wildcard certs.
    • Essential for internal/overlay/private services not exposed to the internet.
    • Helpful in multi‑server and multi‑region load‑balanced setups.
  • DNS‑01 is seen as messy because every DNS provider has its own API; suggestions include using RFC2136/TSIG, acme‑dns, or delegating _acme‑challenge via CNAME/NS to a controllable DNS service.

Certbot and other ACME clients

  • Experiences with certbot range from “completely straightforward” to “giant swiss‑army chainsaw” that mangles configs, fights automation, and pushes snap.
  • Alternatives praised for simplicity and scriptability: acme.sh, lego, dehydrated, step‑ca, custom scripts.
  • Docker + nginx + certbot is described as especially fragile and under‑documented; some keep nginx on the host and containers behind it to avoid chicken‑and‑egg TLS issues.

Operational, packaging, and ecosystem concerns

  • Questions remain about how nginx handles renewals, revocations, and background processes, and how to debug failures.
  • Managing certs across fleets and failover nodes is still non‑trivial; suggestions include per‑node certs vs central issuance and distribution.
  • Some see nginx as late and commercially distracted (forks cited as a reaction), but others argue embedding ACME in webservers is optional and composable tooling remains valid.