Automation of SAN cert with DNS challenge

I have been using letsencrypt for the better part of the last year - it has been great. I have been slowly trying to increment this towards automation.

I am using DNS challenge with SAN certs for the bulk of our domains and then generating an haproxy specific cert. In addition we are starting to use this with GCP loadbalancers which take a similar cert. It all works pretty well but I have a few questions on smoothing this out a bit.

  • even with the “agree-tos” flag set (see below) I still get asked if it is ok to log my IP. How do I autoanswer that question?

My full update looks like this:

certbot-auto --agree-tos -m techsupport@xxxxx.com --manual --preferred-challenges dns certonly --cert-name xxx_SAN_cert -d xxx.com,c.xxx.com,cdn.xxx.com,www.xxx.com

when I generate the haproxy cert I do this:

cat fullchain.pem privkey.pem > /etc/ansible/vault_vars/ssl_keys/xxx_cert

Thnak you for any advice on how to do this better

Hi @mbubb,

You are looking for this switch --manual-public-ip-logging-ok

Cheers,
sahsanu

2 Likes

And in this case, you might want to use --post-hook to run a script with this effect. (Remember that the recommended command once you already have the certificate is just certbot-auto renew, which uses saved settings to renew the certificate, but only attempts to do so when the certificate is less than 30 days from expiry.)

1 Like

Thank you - I am running these all from a central deploy server (Ansible + jenkins) so I don’t think I can use the ‘certbot-auto renew’ - but I will look into it.

A ‘post-hook’ is a good idea to try as a next step.Thanks

Thanks - missed this somehow - wonder if I am looking at old docs…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.