Sharing API account with cluster


#1

Hi!

I am in the process of optimizing ACME/LE on three very large clusters (webhosting).
Currently each host has it’s own account for LE’s API but it seems more appropriate to use the same for all clusters (which would allow bumping the rate limit).

I found these files on each issuing machine:

  • meta.json
  • private_key.json
  • regr.json

I could add them to my CMDB but the parent folder has some kind of UUID/hash. Can I just rename the folder to something generic?

What do other do to share a config with a CMDB / Ansible / Chef, etc.?

Thank you
Kevin


#2

I did some tests and the folder needs to keep it’s name, is is derived from the hash of the account-data.

My CMDB is now adjusted to unterstand this.

I need to set up certificates by using the renew-confs. My solution is very “hacky”.
What do others do to automate this task?

Using python’s subprocess is very unsatisfying and the ACME python lib does not support wildcard certs (which I need).

Kevin


#3

Disclaimer: I am completely unfamiliar with this setup.

But I would think that you could just copy the entire folder/path/conf from one system to the other to get it “cloned”.
Maybe you could test that theory out…


#4

Hi @syfy323,

I don’t have much experience with generic CMDB and this problem but might have some helpful pointers for you.

I believe Ansible has a Let’s Encrypt module that is broken up in a way that makes it easier for CMDB to synchronize account state. Perhaps there is something similar for your CMDB of choice, or it could serve as design inspiration for a custom integration using the acme module from Certbot.

The Certbot acme module does have ACME v2 support and can be used to issue wildcard certificates but it will require you to connect the pieces and somehow update the revelant DNS zones with the dynamic TXT record programmatically. Boulder uses this module as part of chisel2.py, a small ACME test client we use in integration tests to issue wildcard certificates. We use a mock DNS server for the TXT records, a real world use would have to update real authoritative nameservers.

Hope those pointers help!


#5

Ok, I will check this lib out again. Changing DNS would not be the problem in general but I prefer http01. Why? Because all clusters have reverse proxies in front of them, where the acme-challenges are passed to ACME nodes (which is best practice as per LE docs).

While I can perfectly control which files and folders are cached for HTTP, it is much more limited for DNS. I use PowerDNS Auth für all zones with dnsdist (same vendor) to load-balance between endpoints and masters.

In my opinion, the DNS challenges do not provide additional security. Commercial CAs just check CAA if set as well as the reachability of one of the Whois’s emails.

I built this CMDB myself on top of Django. It can solve everything I want it to :wink:
After browsing more docs, I realized, I can generate lot’s of “configs” (cli?) and feed them to certbot.
It also works perfectly when adding or removing domains from the file (renewal auto-detect).

Seems like I need to use subprocess again until I can switch to my own client on top of the raw ACME lib.

Thanks for your ideas!