Certbot support

With the changes recently approved by the CA/Browser Forum, TLS certificate validity periods will continue to come down, eventually getting to 47 days max by 2029. It’s a phased approach and, as of now, the schedule is:
March 15, 2026: Maximum validity reduced to 200 days.
March 15, 2027: Maximum validity reduced to 100 days.
March 15, 2029: Final maximum validity reduced to 47 days.

None of us want to be swapping certs manually every 47 days in the Pepilnk device admin portal. The solution many production engineering teams use for cert renewals is certbot. It would be great if Pepilnk firmware could incorporate certbot and allow an admin to programatically renew certs. I’d be most interested in using certbot’s dns-rfc2136 plugin since that seems like the best fit for a device like a Peplink Balance. Trying to run this in a container (for the Peplink devices that support it) is not recommended. I’d also avoid trying to update the local peplink resolver to support it (TSIG requirement, etc). Just assume a user is using their own mature authoritative DNS to validate the ACME based TXT record for a cert renewal.

Agreed. And, I should also note that IC2 should not perform this function as there are a great many devices where IC2 cannot be used.

Also, we would request that any ACME/certbot support allows us to set the directory URL so that the ACME request goes to the CA of our choice, not just letsencrypt.

To overcome the TSIG and RFC 2136 work they are working on certifying the new DCV type dns-persist-01 which would allow domain level long term DCV.

Good call @Paul_Mossip. DNS-PERSIST-01 is definitely the preferred approach once that becomes widely supported across CAs.