On 2020-07-10 20:16:47 -0300 (-0300), Arthur Diniz wrote: [...] > If you have any tips on any other way to set up I would love your > contribution, since my knowledge in certificate generation and > automation is very basic. I help run (a lot of) community infrastructure for some large open source projects, and we use the DNS method. However we also run our own authoritative nameservers so we just have a dedicated ACME renewal zone and CNAME all the well-known records to that. A periodic Ansible task fires https://github.com/acmesh-official/acme.sh and then splats the necessary challenge response into the BIND zonefile on the primary nameserver along with a serial update, at which point all the secondary nameservers pull that zone and start serving it so by the time LE checks, it finds the response it expects. We get away with just using one challenge response record since we serialize all our renewals. This is what the entrypoint playbook for it looks like (referenced roles are relative to that playbook's path too): https://opendev.org/opendev/system-config/src/branch/master/playbooks/letsencrypt.yaml It's likely severe overkill though if you're just doing it for a handful of servers. No idea if this helps, though it might give you some ideas at least. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature