Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use certbot instead of ocf-lets-encrypt #1068

Open
nikhiljha opened this issue Feb 10, 2021 · 4 comments
Open

use certbot instead of ocf-lets-encrypt #1068

nikhiljha opened this issue Feb 10, 2021 · 4 comments

Comments

@nikhiljha
Copy link
Member

I read through ocf-le and I don't understand why it's broken... maybe we should just use certbot?

@cg505
Copy link
Member

cg505 commented Feb 10, 2021

we mostly don't use certbot because it is does not give us a lot of flexibility to use our own dns server to respond to dns challenges iirc

@nikhiljha
Copy link
Member Author

Yup, we would need to write certbot-dns-ocf.

@jvperrin
Copy link
Member

So one thing that might be confusing currently is that we have a couple different methods for obtaining certs:

  1. Using the custom-written ocf-lets-encrypt and lets-encrypt-update scripts - this is used for HTTP-only challenges for webhosting and apphosting currently. This is the oldest method of using Let's Encrypt certs in use at the OCF, and was designed to be used for for other cert requests too (e.g. for our mail server) before we used DNS-based challenges anywhere.
  2. Using dehydrated and dehydrated-hook-ddns-tsig - this is used for all DNS-based challenges for all other certs, especially for wildcard certs (only available via DNS challenge). This method was created primarily so that we could switch off using any Comodo/InCommon certs (manually issued and expired every 3 years, although we got them free through the university) and move entirely to Let's Encrypt. Both dehydrated and dehydrated-hook-ddns-tsig are provided by packages maintained by Debian and the ddns hook in particular is useful because it allows for updating the letsencrypt.ocf.io zone, which is pointed to by a bunch of _acme-challenge records: https://github.com/ocf/dns/blob/d0e2ac7904b34f5a7aa1bc8d0550488392e8146c/etc/db.ocf#L65

Unless you're looking to replace the second method of obtaining certs (of which ocf-lets-encrypt isn't even involved), then you shouldn't need to do anything besides respond to HTTP challenges on death/vampires. I don't remember now why we wrote our own scripts to do this part, but they might not be necessary now, and testing with some domains with our own DNS and dev-death would probably confirm if this can be replaced by something like certbot.

I also wouldn't recommend writing something custom for DNS challenges when there's things like dehydrated-hook-ddns-tsig already out there, because it's then one more thing we have to maintain :)

@emmatyping
Copy link
Member

So it seems that for part 1. we should be able to use certbot-nginx/apache to respond to HTTP challenges for vhost/apphosts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants