Automate certificate renew where the site is in the k8s

Good afternoon everyone, at once I apologize for my English, it is not good enough. I will try very hard to make my problem clear.
The task is to update certificates via gitlab pipeline. Please tell me what is the right command to use to update the certificates and to confirm the domain via DNS. I should also add that since all this will be done in a pipeline, I need a command that will not use an interactive command. I tried to use acma.sh, but not successfully

acme.sh --issue --dns -d domain.com -d www.domain.com --yes-I-know-dns-manual-mode-enough-go-ahead-please --force > output_acme.txt

Next, from the output I extracted the necessary data to prescribe the ТХТ record in my DNS (ТХТ and value). I have a ready-made bash script to add TXT records via API using a token. The script to add entries in the DNS servers is tested and works in another pipeline.
I wait a certain amount of time (sleep 600) for my added records to propagate to the DNS servers. Then I enter the command to renew:

acme.sh --renew -d domain.com -d www.domain.com --yes-I-know-dns-manual-mode-enough-go-ahead-please --force

and in the output I get that I need to add TXT records with new values.

Also tried the certbot:

certbot certonly
--dns-nsone
--dns-nsone-credentials /etc/letsencrypt/nsone.ini
--dns-nsone-propagation-seconds 30
-d domain.com
-d www.domain.com
--manual
--preferred-challenges dns
--manual-auth-hook /path/to/create_txt_records.sh
--manual-cleanup-hook /path/to/delete_txt_records.sh

here I understand that you can not use two methods, I also tried the other way:

certbot certonly
--dns-nsone
--dns-nsone-credentials ./nsone.ini
--dns-nsone-propagation-seconds 30
-d domain.com
-d www.domain.com
--preferred-challenges dns

also unsuccessfully.

Maybe I'm doing something wrong, or maybe there is another way to update the certificate without installing on the web server, that is to get only the certificate and with confirmation via DNS.

Thank you all in advance for your help.

Usually, in the #help section you would have been provided with a questionnaire. This is mandatory. Some questions you've already answered in your post, but many not, e.g., the actual output of the commands. With just "unsuccessfully" we can't help you very much.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

3 Likes

I'm sorry, I'm new to the community,
my domain is: harbor.homecredit.kz and harbor-drc.homecredit.kz.

I ran this command: /root/.acme.sh/acme.sh --issue --dns -d harbor.homecredit.kz -d harbor-drc.homecredit.kz --yes-I-know-dns-manual-mode-enough-go-ahead-please --force > /tmp/output_acme.txt

The result was this output: $ /root/.acme.sh/acme.sh --issue --dns -d harbor.homecredit.kz -d harbor-drc.homecredit.kz --yes-I-know-dns-manual-mode-enough-go-ahead-please --force > /tmp/output_acme.txt
[Sat Apr 8 19:57:30 UTC 2023] Please add the TXT entries to the domains and re-run with --renew.
[Sat Apr 8 19:57:30 UTC 2023] Please add '--debug' or '--log' to check more details [Sat Apr 8 19:57:30 UTC 2023] See: https://github.com/acmesh-offCleaning up project directory and file based variables00:01
Using docker image sha256:bd3890bf9202e001495c49b0721c381d78d6a2e346bb73c86f54fd4898d47dcd for registry.kz.eit.zone/library/gitlab-runner-helper:x86_64-98daeee0 with digest registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper@sha256:8706270c187b607189747b6700f76144abcc81b70c92b8aa295503f6121dfd99 ...
ERROR: Job failed: exit code 1

My web server is (including version): the service is in the k8s (port 1.4.0-dev), I assume this is nginx

The operating system my web server is running on is (include version): NAME="VMware Photon OS" VERSION="4.0" ID=photon VERSION_ID=4.0 PRETTY_NAME="VMware Photon OS/Linux" ANSI_COLOR="1;34" HOME_URL="https://vmware.github.io/photon/" BUG_REPORT_URL="Issues · vmware/photon · GitHub"

My hosting provider, if applicable, is as follows: On-premises.

I can log in to a root shell on my machine (yes or no, or I don't know): yes

I use a control panel to manage my site (no, or specify the name and version of the control panel): no, I cannot manage my site

The version of my client is (e.g. output certbot --version or certbot-auto --version if you use Certbot): /root/.acme.sh/acme.sh --version GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol v3.0.6 /root/.acme.sh/acme.sh --upgrade --use-wget [Sat Apr 8 19:57:24 UTC 2023] Already upgraded! [Sat Apr 8 19:57:24 UTC 2023] Upgrade successful!

Who is your DNS host?

3 Likes

was built from this repository: GitHub - benapetr/dnsphpadmin: DNS web admin panel written in PHP, designed to operate via nsupdate, for all kinds of RFC compliant DNS servers

That doesn't answer the question, but apparently you're hosting your own DNS. And from what the description says, it will accept updates via nsupdate. So why are you trying to script the updates yourself, rather than using acme.sh's built-in support for nsupdate? See:

4 Likes

Or use the Certbot dns-rfc-2136 plugin to update the DNS server, see Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation

Also:

Please don't use this option. If there is an error with issuance, this option will NOT magically make the error go away. That's NOT what the option does. Please read the documentation and educate yourself FIRST before using relatively dangerous options. Thank you.

Another thing: the output you've posted doesn't actually mention the error message from the ACME server, so it's incomplete. If you can, please post the entire output.

Note that I do not have any clue what "k8s" is, perhaps Kubernetes or something similar?

4 Likes

Yes, k8s is Kubernetes.

5 Likes

I cannot use this functionality because my DNS is inside the company network and not over the Internet. For this reason the task is not quite simple for me

@Osiris I corrected your comments.
I'm trying to use acme.sh at the moment, but so far no success

But you must have some public DNS servers--how do you update those?

2 Likes

so I'm using acme.sh now, and I get this error when I update:
Challenge error: {
"type": "urn:ietf:params:acme:error:malformed",
{ "detail": "KeyID header contained an invalid account URL: "https://acme-v02.api.letsencrypt.org/acme/acct/1050915427\"",
{ "status": 400
}

The Let's Encrypt validation server needs to be able to access the validation token somehow over the public internet. Is it possible for the entire internet to resolve DNS resource records for your (sub)domain in the first place? Because if that is NOT possible, you also CANNOT use the dns-01 challenge.

In summary: you cannot use public certificate authorities such as Let's Encrypt for servers of which the host and DNS server is not accessible from the public internet.

4 Likes

@uzhyrgalbekov

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

Since you're using k8s, you might want to consider using cert-manager instead of certbot. You can deploy it with helm then attach it to your ingress with kubectl.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.