Designate as authenticator for Lets EncryptΒΆ
This guide will help you configuring certbot
to work with
plugins for OpenStack DNS (Designate) to verify Lets Encrypt
certificates by using DNS for any domain that is running in the
Binero cloud DNS.
The guide will assume you are using a recent version of Debian or Ubuntu but would likely be applicable for other Linux distributions.
Install
certbot
and python package manager pip by runningsudo apt install certbot python3-designateclient python3-pip
.Using pip install the
dns-openstack
authenticator plugin by running:
sudo pip3 install certbot-dns-openstack
Create an application credential with the roles
reader
andmember
. Use the following in the access rules:
- service: dns
method: GET
path: /v2/zones
- service: dns
method: GET
path: /v2/zones/{zone_id}
- service: dns
method: GET
path: /v2/zones/{zone_id}/recordsets
- service: dns
method: POST
path: /v2/zones/{zone_id}/recordsets
- service: dns
method: GET
path: /v2/zones/{zone_id}/recordsets/{recordset_id}
- service: dns
method: PUT
path: /v2/zones/{zone_id}/recordsets/{recordset_id}
- service: dns
method: DELETE
path: /v2/zones/{zone_id}/recordsets/{recordset_id}
Download the application credential as YAML and save it on your server to the following path:
/etc/openstack/clouds.yaml
Set the permission on the file by running
sudo chown root:root /etc/openstack/clouds.yaml; chmod 600 /etc/openstack/clouds.yaml
.You are now able to issue certificates as you would normally do with the exception of adding
-a dns-openstack
to the command line, for example as such:sudo certbot -a dns-openstack certonly -d example.domain
.To change the authentication of any existing certificates you would edit
/etc/letsencrypt/renewal/example.domain.conf
and set the authentication option todns-openstack
.