Preamble
Actually https://servizi.linux.it runs Sandstorm. Sandstorm requires random subdomains. That's why Sandstorm needs a wildcard SSL certificate.
Problem
It's not that easy to issue and renew wildcard certificates with Let's Encrypt because you need to update a TXT record in the DNS zone each time.
The record is expected here:
- _acme-challenge.servizi.linux.it
Also, the DNS zone of linux.it is not served by one of our nameservers, so it's not simple to automatize everything. Note that the actual provider also does not provide any DNS API.
Proposed solution
- install BIND9 in servizi.linux.it
- delegate _acme-challenge.servizi.linux.it to that BIND9 instance
- automatize Let's Encrypt renewal
- champagne!
Actual workaround
In 2019 Madbob delegated _acme-challenge.servizi.linux.it to acme-servizi.gitpull.it (gargantua.reyboz.it (server)) in order to allow @valerio.bozzolan to be autonomous in renewing these certificates.
In short, actually only @valerio.bozzolan is allowed to manually renew these certificates in this way:
$ ssh servizi.linux.it $ certbot certonly --manual -d servizi.linux.it -d *.servizi.linux.it Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for servizi.linux.it http-01 challenge for servizi.linux.it - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: $ y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data: asdasdasdasdasdasdasdasdasdasdasdasdasdasd.asdasdasdasda_sdasdasdasdasdasdasdasdasdasda And make it available on your web server at this URL: http://servizi.linux.it/.well-known/acme-challenge/asdasdasdasdasdasdasdasdasdasdasdasdasdasd (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue $ # (put in background this job to manually act like the webroot process) $ # (CTRL z) $ nano /var/www/Servizi/homepage/.well-known/acme-challenge/asdasdasdasdasdasdasdasdasdasdasdasdasdasd $ # (restore this job in foreground) $ fg $ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.servizi.linux.it with the following value: asdasd-asdasdasd_asdasdasdasdasdasdasd Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue $ # (in the meanwhile I put in pause this job and I login in my private bind9 server to update the token) $ # (CTRL z) $ ssh gargantua.reyboz.it $ editor /etc/bind/merda/acme-servizi.gitpull.it.db ... @ IN TXT "asdasd-asdasdasd_asdasdasdasdasdasdasd" ... $ systemctl restart bind9 $ exit $ # (now I restore the previous Let's Encrypt job and press enter) $ fg $ Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/servizi.linux.it-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/servizi.linux.it-0001/privkey.pem Your cert will expire on 2020-09-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le $ systemctl reload nginx
End of the story. Actually I do this once every two months. Each time it takes 5 of my minutes.
This task is about automatizing this renewal process. For example:
- install bind9 in servizi.linux.it
- delegate again _acme-challenge.servizi.linux.it to something served by this bind9 instance
- create a Let's Encrypt "manual update hook"
Anyway this is just a wishlist. I can deal without automation for now.