Page MenuHomeGitPull.it

Automatize wildcard certificate renew for servizi.linux.it
Open, WishlistPublic

Description

Actually we have not a simple Let's Encrypt certificate for the Sandstorm instance used in servizi.linux.it. Sandstorm requires random subdomains, so we need a wildcard certificate.

It's not easy to issue a wildcard certificate with Let's Encrypt. Well, it's easy, but it's not that easy to automatize the renewal process because we need to update a TXT record in the DNS zone.

To make everything less simple, actually we have not migrated the DNS zone of linux.it to one of our servers, so it's not simple to automatize everything (obviously the actual provided also has not any API).

Anyway, in 2019, to just somehow simplify the renewal process, Madbob delegated the _acme-challenge.servizi.linux.it zone to my BIND9 instance (acme-servizi.gitpull.it) served by my private reyboz server.

In short, actually I'm allowed to manually renew these certificates in this way:

$ ssh servizi.linux.it
$ certbot certonly --manual -d servizi.linux.it  -d *.servizi.linux.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for servizi.linux.it
http-01 challenge for servizi.linux.it

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 
$ y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.servizi.linux.it with the following value:

asdasd-asdasdasd_asdasdasdasdasdasdasd

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
$ # (in the meanwhile I put in pause this job and I login in my private bind9 server to update the token)
$ # (CTRL z)
$ ssh reyboz
$ editor /etc/bind/merda/acme-servizi.gitpull.it.db

...
@       IN      TXT     "asdasd-asdasdasd_asdasdasdasdasdasdasd"
...

$ systemctl restart bind9
$ exit
$ # (now I restore the previous Let's Encrypt job and press enter)
$ fg
$

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

asdasdasdasdasdasdasdasdasdasdasdasdasdasd.asdasdasdasda_sdasdasdasdasdasdasdasdasdasda

And make it available on your web server at this URL:

http://servizi.linux.it/.well-known/acme-challenge/asdasdasdasdasdasdasdasdasdasdasdasdasdasd

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
$ # (now I put in background this job to manually act like the webroot process)
$ # (CTRL z)
$ nano /var/www/Servizi/homepage/.well-known/acme-challenge/asdasdasdasdasdasdasdasdasdasdasdasdasdasd
$ # (I restore this job and press enter)
$ fg
$

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/servizi.linux.it-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/servizi.linux.it-0001/privkey.pem
   Your cert will expire on 2020-09-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

End of the story. Actually I do this once every two months. Each time it takes 5 of my minutes.

This task is about automatizing this renewal process. For example:

  1. install bind9 in servizi.linux.it
  2. delegate again _acme-challenge.servizi.linux.it to something served by this bind9 instance
  3. create a Let's Encrypt "manual update hook"

Anyway this is just a wishlist. I can deal without automation for now.

Event Timeline

valerio.bozzolan triaged this task as Normal priority.Jan 4 2020, 08:51
valerio.bozzolan created this task.

Madbob:

ho impostato _acme-challenge.servizi.linux.it come cname di acme-servizi.gitpull.it, tempo di far propagare sto' aggiornamento e puoi aggiornare il certificato di servizi.linux.it usando direttamente il tuo dominio

Actually a bind9 server will run on my machine to simplify the renewal process.

See T106

valerio.bozzolan renamed this task from Automatize certificate renew in servizi.linux.it to Automatize wildcard certificate renew for servizi.linux.it.Mar 5 2020, 13:31
valerio.bozzolan lowered the priority of this task from Normal to Wishlist.May 2 2020, 23:21