Change Details

To verify a domain through DNS, a specialized DNS server has been provided in 9d9d4f52e938 to maintain TXT records. Several servers can use wildcard certificates, but as we don't use the same account key on each servers, the DNS record will change. As such, and if we want each server generate its own concurrent certificate for *.domain.tld, we need to allow each of them to update the DNS record. To do so, the DNS is configured like this: _acme-challenge.domain.tld CNAME <some guid>.acme.nasqueron.org And <some guid> matches an ACME DNS account allowed to change it. As we don't want to change CNAME everytime, that means the ACME DNS account must be shared among the servers. We so need to provision the credentials and merge them to local credentials maintained by the server (ie when we update the password for *.nasqueron.org, we don't want to lost on Equatower the password for devcentral.nasqueron.org). That's the job of the `edit-acme-dns-accounts import` command. A follow-up change will take care of the actual provisioning, once the question of where to put it will be solved (Vault?).

To verify a domain through DNS, a specialized DNS server has been provided in 9d9d4f52e938 to maintain TXT records. Several servers can use wildcard certificates, but as we don't use the same account key on each servers, the DNS record will change. As such, and if we want each server generate its own concurrent certificate for *.domain.tld, we need to allow each of them to update the DNS record. To do so, the DNS is configured like this: _acme-challenge.domain.tld CNAME <some guid>.acme.nasqueron.org And <some guid> matches an ACME DNS account allowed to change it. As we don't want to change CNAME everytime, that means the ACME DNS account must be shared among the servers. We so need to provision the credentials and merge them to local credentials maintained by the server (ie when we update the password for *.nasqueron.org, we don't want to lost on Equatower the password for devcentral.nasqueron.org). That's the job of the `edit-acme-dns-accounts import` command. A follow-up change will take care of the actual provisioning, once the question of where to put it will be solved (Vault?). Ref T1602.

To verify a domain through DNS, a specialized DNS server has been provided in 9d9d4f52e938 to maintain TXT records. Several servers can use wildcard certificates, but as we don't use the same account key on each servers, the DNS record will change. As such, and if we want each server generate its own concurrent certificate for *.domain.tld, we need to allow each of them to update the DNS record. To do so, the DNS is configured like this: _acme-challenge.domain.tld CNAME <some guid>.acme.nasqueron.org And <some guid> matches an ACME DNS account allowed to change it. As we don't want to change CNAME everytime, that means the ACME DNS account must be shared among the servers. We so need to provision the credentials and merge them to local credentials maintained by the server (ie when we update the password for *.nasqueron.org, we don't want to lost on Equatower the password for devcentral.nasqueron.org). That's the job of the `edit-acme-dns-accounts import` command. A follow-up change will take care of the actual provisioning, once the question of where to put it will be solved (Vault?). Ref T1602.