Server cluster with dynamic DNS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.files.example.com

I ran this command: certbot certonly --standalone -d files.example.com -d *.files.example.com --staple-ocsp -m op@example.com --agree-tos

It produced this output: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS

My web server is (include version): minio server

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

I don’t believe the above is a complete discription of my issue.
I am attempting to build a 3 node, distributed minio cluster using dynamic DNS for connections incoming connsctions. For this to work I need a set of certificates for all three nodes. the problem is the nodes will be reached via their parent domain.
PD: files.example.com
host: node1.files.example.com
host: node2.files.example.com
host: node3.files.example.com

minio needs the nodes to connect to one another using their hostname (IE: https://node1.files.example.com:443) but clients connecting to the cluster will connect using “files.example.com” which will have all three node IPs in distributed DNS (IE depending on certain variables, users doing a DNS lookup on files.example.com will be given the IP of any one of the nodes and not necessarily the same node every time).

I really would like to have the ability to update the certificates as cleanly as possible each time. I have choices on how I can do this, but nothing painless.

if I use this command:
certbot certonly --standalone -d docs.positiveaction.net -d *.docs.positiveaction.net --staple-ocsp -m nic@positiveaction.net --agree-tos
I get the afformentioned error.
if I use THIS command:
certbot certonly --manual -d docs.positiveaction.net -d *.docs.positiveaction.net --agree-tos
I have to place a file somewhere reachable on the server from port 80, however the server doesn’t have a standard webserver in place and installing one is inconvienant.
I would use a plugin–there is one for my DNS provider (nsone), however said plugin isn;t available for my distro and the forum post (here) refers to folders that simply don’t exist on my server (namely
~/.local/share/letsencrypt/bin/activate in either my user directory, or the root home directory) and the instructions (here) asks me to install a plugin that’s simply not avalable (namely certbot-dns-nsone)

so… what’s the cleanest way to get certs for each of my three servers, usable by both their host and their parent domains? if the nsone plugin is the best way, then how do I install it?

Hi @rudepeople

please read

A wildcard certificate requires dns validation. Always.

So --standalone can’t work. That’s impossible. Standalone starts an own webserver, so http validation is used.

You have to create two dns TXT entries.

  • manual
  • with a working dns plugin
  • may be the better solution: Switch to another client.

acme.sh supports a lot of dns providers.

1 Like

I get that.

I also considered running this on each node: certbot certonly --manual -d files.example.com -d node1.files.example.com --agree-tos
(Swapping node1 with each respective node name). but I think that will cause issues considering I’ll have three servers with public certs for the same name “files.example.com”. or does letsencrypt not check that?

and that leads me back to needing the nsone plugin then… if so, what’s the current procedure for installing it?

also, I meant to mask my domain name. Guess I was in too much of a hurry… any chance you’d be willing to edit your post to remove it? Security through obscurity…

I see you edited your post. As a reminder this is listed at the top of the questionnaire:

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help

4 Likes

For your security through obscurity approach, this is a extremely horrible idea. When you issue a certificate for your server, the certificate and its details (hostname) will be recorded in public database in order to satisfy CA/B and browser requirements. This means anyone who bored enough to scan the database (CT log servers) will be able to find these hostnames and connect to it. (If allowed)

Thus, it’s better to either use a wildcard certificate, or just use a self-signed certificate for these communications. (Since self signed certificate will not send itself to CT log servers)

If you Google certbot nsone, the instructions are located on certbot website. https://certbot.eff.org/docs/using.html?highlight=dns

2 Likes

gotcha. wasn’t aware of that… I’ll remember in the future.

1 Like

stevenzhu
If you Google certbot nsone, the instructions are located on certbot website. https://certbot.eff.org/docs/using.html?highlight=dns

Quoted from the guide in question:

These plugins are not included in a default Certbot installation and must be installed separately.

Following the link to the plugin itself, there are no instructions for installation.

The plugin is either installed by script when installing from git, or it is installed from whatever repository I installed certbot from. The guides for installing the plugin from the git installed certbot (also often called certbot-auto) refer to non-existant folders indicating they are obsolete. The certbot ppa (where I installed certbot from) does not have the nsone plugin). see for yourself!

I must be missing something. I’ll go back and re-read the document you sent stevenzhu, maybe I just overlooked it.

1 Like

I wasn’t overlooking anything. the install instructions I can find are either obsolete, or simply dont work with my distro. I did take a moment to look at several other distros to see if anyone had the plugin ready to install, looks like theres a package for rpm based distros (fedora, cent, and suse), but not much for anyone else… For now, I give up.

I installed apache on node1 of the cluster. then I ran this:
certbot certonly --manual -d docs.positiveaction.net -d *.docs.positiveaction.net --staple-ocsp -m nic@positiveaction.net --agree-tos

of course I had a couple of very minor hoops to jump through (had to create a text file with a text string and put it in the applicable folder as well as create an acme challence text entry in my DNS zone), but it created a viable cert that is presently working for the three nodes.

I may create a 4th node without minio and a completely closed firewall (except port 80) exclusively for this purpose. I would REALLY like to use the nsone plugin so I can automate the re-cert in the future. C’est la vie.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.