Actually we have not a simple Let's Encrypt certificate for the Sandstorm instance used in `servizi.linux.it`. Sandstorm requires random subdomains, so we need a wildcard certificate.
It's not easy to issue a wildcard certificate with Let's Encrypt. Well, it's easy, but it's not that easy to automatize the renewal process because we need to update a `TXT` record in the DNS zone.
To make everything less simple, actually we have not migrated the DNS zone of `linux.it` to one of our servers, so it's not simple to automatize everything (obviously the actual provided also has not any API).
Anyway, in 2019, to just somehow simplify the renewal process, Madbob delegated the `_acme-challenge.servizi.linux.it` zone to my BIND9 instance (`acme-servizi.gitpull.it`) served by my private `reyboz` server.
In short, actually I'm allowed to manually renew these certificates in this way:
```
$ ssh servizi.linux.it
$ certbot certonly --manual -d servizi.linux.it -d *.servizi.linux.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for servizi.linux.it
http-01 challenge for servizi.linux.it
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
$ y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.servizi.linux.it with the following value:
asdasd-asdasdasd_asdasdasdasdasdasdasd
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
$ # (in the meanwhile I put in pause this job and I login in my private bind9 server to update the token)
$ # (CTRL z)
$ ssh reyboz
$ editor /etc/bind/merda/acme-servizi.gitpull.it.db
...
@ IN TXT "asdasd-asdasdasd_asdasdasdasdasdasdasd"
...
$ systemctl restart bind9
$ exit
$ # (now I restore the previous Let's Encrypt job and press enter)
$ fg
$
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
asdasdasdasdasdasdasdasdasdasdasdasdasdasd.asdasdasdasda_sdasdasdasdasdasdasdasdasdasda
And make it available on your web server at this URL:
http://servizi.linux.it/.well-known/acme-challenge/asdasdasdasdasdasdasdasdasdasdasdasdasdasd
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
$ # (now I put in background this job to manually act like the webroot process)
$ # (CTRL z)
$ nano /var/www/Servizi/homepage/.well-known/acme-challenge/asdasdasdasdasdasdasdasdasdasdasdasdasdasd
$ # (I restore this job and press enter)
$ fg
$
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/servizi.linux.it-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/servizi.linux.it-0001/privkey.pem
Your cert will expire on 2020-09-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
```
End of the story. Actually I do this once every two months. Each time it takes 5 of my minutes.
This task is about automatizing this renewal process. For example:
1. install bind9 in `servizi.linux.it`
2. delegate again `_acme-challenge.servizi.linux.it` to something served by this bind9 instance
3. create a Let's Encrypt "manual update hook"
Anyway this is just a wishlist. I can deal without automation for now.