[conspire] Lets Encrypt
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Wed May 6 22:01:09 PDT 2020
> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [conspire] Lets Encrypt
> Date: Wed, 6 May 2020 20:46:07 -0700
> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>
>> >From: "Ruben Safir" <ruben at mrbrklyn.com>
>> >Subject: [conspire] Lets Encrypt
>> >Date: Wed, 6 May 2020 16:11:55 -0400
>> >Has anyone used it successfully?
>>
>> Heck yeah! Been usin' it for years now!
>> It's not *that* hard.
>
> I think Ruben might appreciate a look at your implementation scripts,
> Michael.
Yup, ... watch this space for updates. ;-)
In the meantime, for starters on part of that ...
So, part of that infrastructure ... to do and also automate
wildcard certs ... verification of those with letsencrypt.org CA
requires verification via DNS. And to automate that, I'm using
dynamic update on DNS. With BIND9 (not the only possible way,
but the way I've implemented it). So, anyway, that bit of
infrastructure, also on Debian (now on stable), with bind9,
dynamic updates, also have chroot and DNSSEC.
Anyway, recently, I updated/fixed fair bit 'o relevant stuff
on Debian's wiki pages. So, to look over a lot of how one might
typically set much of that up, have a look around these wiki
pages ... note also, some of them cover various methods and versions,
so one might be well advised to read (or at least skim) all of the
relevant pages first, rather than just dive in and try and do it
straight step-by-step. Notably also, with the chroot stuff,
as noted on some of the applicable wiki page(s), I've got it
set up with symbolic link(s) and bind mount(s) ... so the
chroot stuff not only works in the chroot, but also functions (or
will/would) function outside of the chroot ... but notably and
conveniently along with that, most stuff outside the chroot that
does/would interact with it, can do quite seamlessly, as if it
wasn't in the chroot ... notably accessing requisite bits with
same logical paths (via symbolic link(s) and/or bind mounts).
Anyway, wiki pages:
https://wiki.debian.org/Bind9
https://wiki.debian.org/DNSSEC%20Howto%20for%20BIND%209.9+
https://wiki.debian.org/DNSSEC
The above wiki pages may not (well?) cover dynamic DNS, but for
BIND9, that's quite well covered in the BIND9 documentation:
https://kb.isc.org/docs/aa-01031 (be sure to look at the specific
corresponding version), and isn't particularly Debian-specific.
(and as I peek at wiki pages, I see a reference link that ought be
improved ... time for me to do that :-))
"Of course" if one isn't doing any wildcards, can verify via specific
placed text bits on, e.g. webserver - so could potentially go that
route and not have to muck with DNS at all for verification for
obtaining certs. But DNS is more flexible verification, can do
those *and* validate for wildcard certs if/as desired.
More information about the conspire
mailing list