Hello there,
i am creating an ansible script to create free wildcard ssl for my multiple domains. i can create those ssl certificates manually but facing issue while doing it via ansible, because the command we using to create wildcard ssl it will provide us a TXT record value, but i am unable to update that TXT vaule on the fly, is there any way by which i can automate this process.
My domain is: livesem.co.il
I ran this command: certbot certonly -d '*.livesem.co.il' --manual --preferred-challenges dns
It produced this output: unable to get TXT record value via ansible.
Is there any API from let's encrypt from where we can send wildcard request and get the TXT value and i will update that value in dns record manually ?
Do you? Is there another DNS server that you can update automatically?
In principle, the "CNAME method" is simple--create a CNAME record pointing _acme-challenge.whateverdomainyouwantacertfor.com to domainwhosednsyoucontrol.com. Then, instead of needing to make automated DNS updates for _acme-challenge.whateverdomainyouwantacertfor.com, you'd instead make them for domainwhosednsyoucontrol.com. But you still need to be able to make automated DNS updates to something in order for wildcards to be usable.
Thanks alot for your update, can you please do one more favour?
please tell me what parameter should i pass into the certbot command during ssl creation time ?
that would be really helpful for me.
Do you mean you have no access to the DNS provider, or that you do not have easy access to the DNS?
If you have no access at all to DNS, you can not get a wildcard.
If you do not have easy access, but can work with whomever manages DNS, you can delegate authority for the domains to another DNS provider with acme_challenge records. The popular way to do this is by running an instance of ACME-DNS, and having the main dns record delegate authority to it.
yes i don't have easy access to that dns.
Suppose i want to create free wild-card let's encrypt ssl certificate for a domain via ansible scripts , i can't find the TXT record on the fly during ansible execution . so i want a alternative way that how i can easily create ssl's without TXT records.
@danb35 i was talking about this thread. please let me know what parameter should i pass into certboat command while creating ssl's with cname method which you mentioned yesterday.
repeating what @danb35 said, that is not possible.
If you don't have easy access, but can access the master zone record, you can enter an _acme-challenge record that delegates control to a DNS server you can more easily manage.
This sounds like an anti-pattern. ansible is typically used to launch/control ephemeral virtual servers. provisioning a certificate via letsencrypt during these types of processes is discouraged as it typically causes rate-limit and other errors for those who implement it. a better model is to centrally provision the certificates and have ansible pull from there OR use a system that persists certificates across server creations.