Automating renewal of certs

Hi Team,

Greetings, Happy new year everyone!

This is Sunil from Deloitte, seeking your support on automating the process of renewing the Lets Encrypt certs in our environment.

Here is the quick background of our current setup which we are using to generate and renew the Let's Encrypt certs.

  1. The current setup which we have is in GCP, where we are generating txt records using certbot for each domain and updating it manually on DNS for domain validation.
  2. Public ip mapped to domains are GCP Loadbalncer public IP's, so we cant validate the domains using public IP(on on-prem it was done through HA proxy), also we don't have access to LB's as it managed by CSP.
    3.DNS servers are hosted on windows name servers, which are still on on-premises and managed by client network team.
  3. I know there are API's which supports automating this process, if the DNS providers are third party vendors like cloud DNS, Route 53 or GoDaddy etc...

It is very tedious task to update the txt record manually all the time while generating and renewing the certs.

Considering the above situation, is there any way where we can automate the cert generation and renewal process?

Please let us know the steps if we can achieve this.

Thanks & Regards,
Sunil G R

1 Like

Hi @Sunil2, welcome to the LE community forum, and Happy New Year! :slight_smile:

Given that you are using Windows DNS [for authoritative zone], I would have you consider obtaining the certs via a Windows client [or any client] that can integrate with them directly.

If you are not too concerned with where the certs are being obtained, and renewed, the simplest solution to that [IMHO] is to use a native Windows client on one of those Windows DNS servers.

See:
ACME Client Implementations - Let's Encrypt (letsencrypt.org)

5 Likes

You could also look into acme-dns or other strategies based on CNAME records.

7 Likes

Thanks @rg305, we can't use Windows DNS servers as we don't have access to them, can you please suggest me any specific client which we can try to integrate.

2 Likes

Which are the authoritative DNS servers for that zone?

4 Likes

The CNAME approach may be ideal for your scenario. You can learn a little more about it in the following article.

6 Likes

Hi @rg305,

These are the few name servers
ns1.tupperware.net
dylan.ns.cloudflare.com
susan.ns.cloudflare.com

1 Like

Which one of those DNS servers do you (want to) update?
Which is the author?

4 Likes

Hi @rg305 majorly we have domains under ns1.tupperware.net

How do those three servers synchronize changes to the zone?
[and how often]

2 Likes