Page MenuHomeDevCentral

Allow to update ACME DNS accounts
ClosedPublic

Authored by dereckson on Feb 23 2020, 11:38.
Tags
None
Referenced Files
F3785722: D2249.diff
Tue, Nov 26, 10:14
Unknown Object (File)
Sat, Nov 23, 03:54
Unknown Object (File)
Sat, Nov 23, 02:54
Unknown Object (File)
Mon, Nov 18, 11:38
Unknown Object (File)
Mon, Nov 18, 11:09
Unknown Object (File)
Tue, Nov 12, 15:50
Unknown Object (File)
Sun, Nov 10, 06:59
Unknown Object (File)
Sat, Nov 9, 14:29
Subscribers
None

Details

Summary

To verify a domain through DNS, a specialized DNS server has
been provided in 9d9d4f52e938 to maintain TXT records.

Several servers can use wildcard certificates, but as we don't
use the same account key on each servers, the DNS record will
change. As such, and if we want each server generate its own
concurrent certificate for *.domain.tld, we need to allow each
of them to update the DNS record.

To do so, the DNS is configured like this:
_acme-challenge.domain.tld CNAME <some guid>.acme.nasqueron.org

And <some guid> matches an ACME DNS account allowed to change it.
As we don't want to change CNAME everytime, that means the ACME
DNS account must be shared among the servers.

We so need to provision the credentials and merge them to
local credentials maintained by the server (ie when we update
the password for *.nasqueron.org, we don't want to lost on Equatower
the password for devcentral.nasqueron.org). That's the job of the
edit-acme-dns-accounts import command.

A follow-up change will take care of the actual provisioning,
once the question of where to put it will be solved (Vault?).

Ref T1602.

Test Plan

Unit tests and integration tests provided

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

Looks good, some minor changes needed.

_tests/data/acmedns-merged.json
2

Chmod

_tests/data/acmedns-toimport.json
2

Chmod

_tests/data/acmedns.json
2

chmod

_tests/scripts/python/test_edit_acme_dns_accounts.py
6

Use /path/to/acmedns.json as we don't need a real value, bats test takes care of that.

requirements.txt
11–12

Only jsondiff here, salt is another change.

roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py
9

Bogus description

89

Trailing comma

91

Trailing comma

This revision is now accepted and ready to land.Feb 28 2020, 20:25
This revision was automatically updated to reflect the committed changes.