Help with wildcard setup


#41

which one is the account key ?
and can i remove / get a new one


#42

From the screenshot… There is an “Account Key” box.

Sure.

You probably need to use the key that issued by “ACMEv2 production server”
(You should have at least two keys on this server, one is “Staging v2”, the other one is “Production v2”)

Thank you


#43

is it the master key part ?


#44

I’m sorry but i’m not sure…

In conclusion:

  1. Switch that ACME server to Production v2.
  2. Click on “Create new account key”
  3. Click on “Register ACME account key”
  4. Save
  5. Go back to the issurance process, and try to request the certificate again (but this time, make sure it’s on Production, not Staging)

Thank you and Good luck


#45

ok, changed the account key and all.
its now in production, and the cert is valid!!

now just need to add it to my hp servers etc.

ashame i cant get that docker container to work.


#46

Congrats!
I see this now:
https://crt.sh/?id=1008218279
which has:

            X509v3 Subject Alternative Name: 
                DNS:*.ad.marcuse.net.au
                DNS:*.marcuse.net.au
                DNS:marcuse.net.au

#47

But the main reason i need the dual wildcards was for the ILO cert.
But it wants me to generate a csr and send it to lets encrypt then import the cert!


#48


#49

This doesn’t sound like something that will be easy to script a renewal for…


#50

i found this, but i dont know how to do that


#51

That link seems to indicate that you can run the “hpilo_cli” command on the system to generate the csr and also to import the public cert - which may be scriptable.
It doesn’t mention how to interact with LetsEncrypt.
Which may mean that part is manual.
I don’t have a “test” system with such a setup, so I can’t be 100% certain if the entire process can be automated.


#52

Hopefully someone knows the interaction, as im not sure how that is implemented,


#53

Is there an HP forum?


#54

I had to enter in a specific dns record by hand for a wildcard

$ dig _acme-challenge.colmena.biz txt

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-10.P2.fc29 <<>> _acme-challenge.colmena.biz txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39984
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.colmena.biz. IN TXT

;; ANSWER SECTION:
_acme-challenge.colmena.biz. 3600 IN TXT “RoEcER5B4YyWnx_BujcGBrWiwrdm446CdD_zG97euR8”

;; Query time: 117 msec
;; SERVER: 2001:19f0:300:1704::6#53(2001:19f0:300:1704::6)
;; WHEN: Wed Dec 12 02:33:52 UTC 2018
;; MSG SIZE rcvd: 112


#55

Remember that Let’s Encrypt certificates are only valid for 90 days, so this may not be a very practical workflow if you plan to continue using this configuration for a long time. (The token that has to be placed in your DNS zone will be different every time the certificate is reissued.)


#56

I realize that.

There are several plugins to automate the DNS challenge, but none so far for the DNS service offered by my current hosting provider.

https://www.vultr.com/

There is an API, and I’m sure that it would be possible to write such a plugin, but the other option is to run my own DNS servers, if there is some way to use the certbot-dns-rfc2136 plugin. The only non-proprietary one?

https://certbot-dns-rfc2136.readthedocs.io/en/stable/

Otherwise, yes, you are quite correct in pointing that out. And here we go, a whole article written up about it!

https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation


#57

If you wanna use Certbot, maybe try https://github.com/letsdebug/certbot-vultr-dns-auth-hook

I know that lego natively supports Vultr, but it doesn’t quite do the same tasks as Certbot.