At my last job I ran an Isilon: I could upload a cert for the HTTP server via the web UI, but there was no ACME client. I could SSH in, drop dehydrated and have it work because all I needed was a shell, curl, and openssl.
Similarly with F5: there is (was?) no native ACME client (at least a few years ago when I first looked at it). So I download dehydrated and used various CLI interfaces to schedule automated runs and importation of the certificates.
There was no pre-compiled binary, and no compilers, on either system, and so talking about a "lightweight C executable" is non-sensical. Further, even if we (managed to) compiled things off-host, when we did an OS upgrade on either system, a whole bunch of libraries would change and we'd have to (remember to) re-compile. There is no such worry with a shell script.
If you want to have ACME-fetched certs on a general computer system, then compiling a C program (large or small) is an option. But there are scenarios where compiled/compiling C programs is not an option, and you telling me otherwise when I have personal experience of these situations takes some chutzpah.
I wouldn't be offended. Many people including me have personal and work experience in this area as well. No one is saying you're wrong, but even you acknowledge there are other ways to upload certificates.. usually involving an API as well. If you want to run unchecked third-party 1000+ line bash scripts on production appliances, by all means go right ahead.
> If you want to run unchecked third-party 1000+ line bash scripts on production appliances, by all means go right ahead.
Again, I have a better chance at reading all the code of dehydrated (which I have, in fact, done), then reading all of the Python code that certbot pulls in via dependencies on Ubuntu/Debian.
Similarly with F5: there is (was?) no native ACME client (at least a few years ago when I first looked at it). So I download dehydrated and used various CLI interfaces to schedule automated runs and importation of the certificates.
There was no pre-compiled binary, and no compilers, on either system, and so talking about a "lightweight C executable" is non-sensical. Further, even if we (managed to) compiled things off-host, when we did an OS upgrade on either system, a whole bunch of libraries would change and we'd have to (remember to) re-compile. There is no such worry with a shell script.
If you want to have ACME-fetched certs on a general computer system, then compiling a C program (large or small) is an option. But there are scenarios where compiled/compiling C programs is not an option, and you telling me otherwise when I have personal experience of these situations takes some chutzpah.