Certbot auto renew
Hi all, We're having a problem with renewing letsencrypt certs via certbot in an external Neutron network where a security group is locking down HTTP+HTTPS access to select IP ranges. As far as we know the IP address for the Certbot ACME challenge server is always changing and therefore a static security group can't be set up to allow in traffic from that server. We have experimented with using UFW rules instead thinking we may be able to write a script to open port 80 periodically to allow the ACME challenge through, then close it back up, but it hasn't worked as we'd hoped either (either all traffic is blocked or the security group immediately takes precedence). Is there any way to programmatically enable + disable a security group as needed using something like OpenstackSDK to achieve the same thing? Thanks in advance. Regards,Derek
On Thu, May 4, 2023 at 7:14 AM Derek O keeffe <derekokeeffe85@yahoo.ie> wrote:
Hi all,
We're having a problem with renewing letsencrypt certs via certbot in an external Neutron network where a security group is locking down HTTP+HTTPS access to select IP ranges. As far as we know the IP address for the Certbot ACME challenge server is always changing and therefore a static security group can't be set up to allow in traffic from that server. We have experimented with using UFW rules instead thinking we may be able to write a script to open port 80 periodically to allow the ACME challenge through, then close it back up, but it hasn't worked as we'd hoped either (either all traffic is blocked or the security group immediately takes precedence). Is there any way to programmatically enable + disable a security group as needed using something like OpenstackSDK to achieve the same thing?
Thanks in advance.
Regards, Derek
Derek, Instead of thinking about the security group rule being enabled or disabled - maybe think about it existing or not existing. Prior to your certbot run, you add a rule to a security group to allow 80 inbound and then when certbot is done, you delete the rule. Personally I like Ansible, but you could use literally anything to accomplish this task - even bash. https://docs.ansible.com/ansible/latest/collections/openstack/cloud/security... -- ~/DonnyD "No mission too difficult. No sacrifice too great. Duty First"
On 2023-05-04 13:45:29 +0100 (+0100), Derek O keeffe wrote:
We didn’t really want to interact with the vm afterwards, we have many machines that need to be locked down but then need to certbot renew which they can’t. We were thinking of a script that uses openstack sdk to remove the security group, update the cert and then add the security group back. [...]
If you have an easy way to push records into DNS, using the DNS-based issuance and renewal workflow may be easier than orchestrating connectivity from the registrar's servers to your virtual machines. For our servers, we orchestrate the acme.sh tool and associated DNS record updates with Ansible roles: https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles (specifically the ones there named like letsencrypt-*). Since we also operate our own name servers it's relatively easy for us, but if your DNS provider has an API or supports the dynamic update protocol then it's probably still pretty simple to do. -- Jeremy Stanley
participants (3)
-
Derek O keeffe
-
Donny D
-
Jeremy Stanley