Migrated to certbot-rfc2136 (as pdns supports it)
RFC2136 https://doc.powerdns.com/authoritative/dnsupdate.html
https://certbot-dns-rfc2136.readthedocs.io/en/stable/
.
.
.
.
.
.
.
.
.
.
-
it's recommended to run the API server next to pdns, because currently it's quite chatty
-
get python3.4+, OpenSSL headers (libssl-dev), pip install the requirements
- make sure to install libssl-dev before uwsgi install
- if you already have uwsgi installed try unsintalling it (then deleting the pip wheel cache) and reinstalling it with
pip3 install -v -I uwsgi |& grep httpsand make sure you see that the plugins/http/https.c gets compiled
-
make a
le-config.json(see the le-config.sample.json) -
put the client part (cronscript and letsencrypt.sh) on every node/server/host/box/VM where you need the certs renewed (you need openssl, dig, jq and curl there, but no python) into
/opt/letsencrypt -
generate new cert(s) (test the cron script(s) and the whole setup), make symlinks out of the old cert files (e.g. you used to have a
/etc/ssl/private/herp.derp.keyand/etc/ssl/certs/herp.derp.pem, now make them symlinks that point to/opt/letsencrypt/certs/herp.derp/privkey.pemand/opt/letsencrypt/certs/herp.derp/cert.pem) -
secure up!
- run.sh does this for you: on the server
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX -nodes -subj '/CN=much-crypt-such-secure'
- run.sh does this for you: on the server