HomeDevCentral

Deploy Certbot everywhere

Description

Deploy Certbot everywhere

Summary:
Currently, certbot was deployed:

  • as a system package on webserver-core
  • as a Docker container and wrapper, with DNS hook on paas-docker
  • not at all elsewhere

This change merges the different units as a part of the roles/core/certificates
unit to have a consistent installation through all machines, Docker included.

Don't try to issue certificate, as to use DNS registration, we currently
need a manual intervention to add a CNAME DNS records for the _acme_challenge.
verification subdomain.

Certificates are renewed with a daily script running certbot renew, installed
through periodic on FreeBSD or as a systemd timer on Linux with systemd nodes.

Ref T1505.

Test Plan: Deploy on Hervil

Reviewers: DorianWinty

Reviewed By: DorianWinty

Maniphest Tasks: T1505

Differential Revision: https://devcentral.nasqueron.org/D3248

Details

Provenance
derecksonAuthored on Dec 16 2023, 00:51
derecksonPushed on Jul 25 2024, 20:41
Reviewer
DorianWinty
Differential Revision
D3248: Deploy Certbot everywhere
Parents
rOPSfc0d46d845df: Configure pg_HBA for dovecot user
Branches
Unknown
Tags
Unknown
Tasks
T1505: Automate Let's Encrypt TLS certificates management for every server