On 2023-05-04 13:45:29 +0100 (+0100), Derek O keeffe wrote:
We didn’t really want to interact with the vm afterwards, we have many machines that need to be locked down but then need to certbot renew which they can’t. We were thinking of a script that uses openstack sdk to remove the security group, update the cert and then add the security group back. [...]
If you have an easy way to push records into DNS, using the DNS-based issuance and renewal workflow may be easier than orchestrating connectivity from the registrar's servers to your virtual machines. For our servers, we orchestrate the acme.sh tool and associated DNS record updates with Ansible roles: https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles (specifically the ones there named like letsencrypt-*). Since we also operate our own name servers it's relatively easy for us, but if your DNS provider has an API or supports the dynamic update protocol then it's probably still pretty simple to do. -- Jeremy Stanley