Page MenuHomeDevCentral

Deploy Certbot everywhere
ClosedPublic

Authored by dereckson on Dec 16 2023, 01:01.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 17, 04:12
Unknown Object (File)
Tue, Dec 17, 04:12
Unknown Object (File)
Tue, Dec 17, 04:12
Unknown Object (File)
Tue, Dec 17, 04:12
Unknown Object (File)
Tue, Dec 17, 04:12
Unknown Object (File)
Mon, Dec 16, 05:27
Unknown Object (File)
Fri, Dec 13, 20:31
Unknown Object (File)
Thu, Dec 12, 03:23
Subscribers
None

Details

Summary

Currently, certbot was deployed:

  • as a system package on webserver-core
  • as a Docker container and wrapper, with DNS hook on paas-docker
  • not at all elsewhere

This change merges the different units as a part of the roles/core/certificates
unit to have a consistent installation through all machines, Docker included.

Don't try to issue certificate, as to use DNS registration, we currently
need a manual intervention to add a CNAME DNS records for the _acme_challenge.
verification subdomain.

Certificates are renewed with a daily script running certbot renew, installed
through periodic on FreeBSD or as a systemd timer on Linux with systemd nodes.

Ref T1505.

Test Plan

Deploy on Hervil

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

Avoid to define authenticator both, one in cli.ini, one in command line

Think it's okey except my comment,
But why every day ? is it not too short ? Maybe each one 3 day or maybe one week could be better ?

roles/core/certificates/files/acme-dns-auth.py
24

no map.jinja for the storage path depending of the OS ?

This revision is now accepted and ready to land.Dec 16 2023, 20:18
roles/core/certificates/files/acme-dns-auth.py
24

Not sure I'm comfortable to templatize Python scripts. We lose the linter for example if we do that.

What if we look both paths?

So we can have the same script first looking /usr/local/etc then /etc. Some scripts already do that like.

TODO: Cleanup certbot_dir from webserver-core

dereckson marked an inline comment as done.

Rebased. Use /usr/local/etc/periodic. Clean certbot_dir.

This revision is now accepted and ready to land.Jul 25 2024, 20:41
This revision was landed with ongoing or failed builds.Jul 25 2024, 20:41
This revision was automatically updated to reflect the committed changes.