Certbot auto renew
Jeremy Stanley
fungi at yuggoth.org
Thu May 4 13:30:50 UTC 2023
On 2023-05-04 13:45:29 +0100 (+0100), Derek O keeffe wrote:
> We didn’t really want to interact with the vm afterwards, we have
> many machines that need to be locked down but then need to certbot
> renew which they can’t. We were thinking of a script that uses
> openstack sdk to remove the security group, update the cert and
> then add the security group back.
[...]
If you have an easy way to push records into DNS, using the
DNS-based issuance and renewal workflow may be easier than
orchestrating connectivity from the registrar's servers to your
virtual machines.
For our servers, we orchestrate the acme.sh tool and associated DNS
record updates with Ansible roles:
https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles
(specifically the ones there named like letsencrypt-*). Since we
also operate our own name servers it's relatively easy for us, but
if your DNS provider has an API or supports the dynamic update
protocol then it's probably still pretty simple to do.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230504/770eae82/attachment.sig>
More information about the openstack-discuss
mailing list