Page MenuHomeDevCentral
Create Task
Maniphest T1580

Deploy ACME-specific DNS server
Closed, ResolvedPublic
Actions

Description

Let's encrypt domain authentication can be done two ways:

  • through HTTP challenges
  • through DNS validation

The HTTP challenges work smoothly, as long as nginx is correctly configured, and web server is still alive. But how to create Openfire certificate with domains split between two serveurs (nasqueron.org on Ysul for webserver-legacy role, xmpp.nasqueron.org conference.nasqueron.org on Equatower for docker-paas role)?

The DNS challenges have been tested with manuale client, but how to automate the process? HE doesn't provide an API to update TXT records while T1217 is still open. In both scenarii, we would give full control of the DNS to each server.

A fine solution is to have a DNS with the only task to manage TXT records for Nasqueron domains, e.g. *.acme.nasqueron.org and use CNAME records to wire _acme-challenge.domain.tld to something.acme.nasqueron.org. Then, we give Let's Encrypt clients full control of this specific DNS to automate DNS verifications.

Revisions and Commits

rOPS Nasqueron Operations
D2181rOPS290737dd5834 Allow certbot to use acme.nasqueron.org on Docker engines
D2179rOPSefa09f172404 Restrict access to ACME DNS
D2178rOPS22fed7f247c2 Provide nginx configuration for ACME DNS
D2177rOPS9d9d4f52e938 Serve acme.nasqueron.org DNS
rDII 502 error pages
D2180rDIIdba670308b54 Provide homepage for ACME DNS Server

Related Objects
Search...

Event Timeline

dereckson created this task.Feb 4 2020, 15:02
dereckson added a project: Operations sprints (Consolidate them all).
dereckson moved this task from Backlog to Working on on the Operations sprints (Consolidate them all) board.
dereckson added a revision: D2177: Serve acme.nasqueron.org DNS.Feb 4 2020, 16:15
dereckson added a commit: rOPS9d9d4f52e938: Serve acme.nasqueron.org DNS.Feb 4 2020, 16:55
dereckson added a revision: D2178: Provide nginx configuration for ACME DNS.Feb 4 2020, 17:49
dereckson added a commit: rOPS22fed7f247c2: Provide nginx configuration for ACME DNS.Feb 4 2020, 17:58
dereckson added a comment.Feb 4 2020, 18:11

Server is deployed on Equatower.

The following DNS records have been added to delegate *.acme.nasqueron.org resolution:

acme.nasqueron.org. 3600 IN A 51.255.124.10
acme.nasqueron.org. 86400 IN NS acme.nasqueron.org.
dereckson added a revision: D2179: Restrict access to ACME DNS.Feb 4 2020, 19:28
dereckson added a commit: rOPSefa09f172404: Restrict access to ACME DNS.Feb 4 2020, 19:30
dereckson added a revision: D2180: Provide homepage for ACME DNS Server.Feb 4 2020, 19:58
dereckson added a commit: rDIIdba670308b54: Provide homepage for ACME DNS Server.Feb 4 2020, 20:00
dereckson added a comment.Feb 4 2020, 20:07

The server works fine. Next step is to integrate Certbot or any other client with it and create relevant CNAMEs.

dereckson added a revision: D2181: Allow certbot to use acme.nasqueron.org on Docker engines.Feb 4 2020, 22:22
dereckson added a commit: rOPS290737dd5834: Allow certbot to use acme.nasqueron.org on Docker engines.Feb 4 2020, 22:49
dereckson closed this task as Resolved.Feb 8 2020, 18:39
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator