On 1/29/19 1:35 PM, Kevin A. McGrail wrote:
On 1/29/2019 2:25 PM, Dave Jones wrote:
On 1/29/19 10:20 AM, Bill Cole wrote:
On 29 Jan 2019, at 10:25, Kevin A. McGrail wrote:
So is this fixed on the sa-vm1.apache.org server or do I need to fix
it still?
FYI, I found a better method for LE verification using the DNS-01
method and a wrapper hook to ACME DNS:
http://docs.cert-manager.io/en/master/reference/issuers/acme/dns01/acme-dns.html
I setup the ACME DNS go server on auth.ena.net so I can host my own
_acme-challenge records via a CNAME. You can use the author's
auth.acme-dns.io server to get started. At home I set this up on my
pfSense firewall using the acme package. Now I have a wildcard cert
that I pull from my pfSense firewall to my raspi and push out to all
of my web servers so I have https everywhere and no annoying cert
warnings.
ACME DNS allows for a server that is not reachable by the Internet to
be a central repository for all of your LE certs and automated
renewals. Then you push out the certs to all of your servers using
your favorite tool like Ansible, Puppet, Chef, Salt, shell script, etc.
Dave
This is NOT fixed. Bill and I were talking about it at work on a non-SA
box and I thought it was interesting.
I changed the challenge to use acme-dns and generated a wildcard cert
successfully which is live now.
https://www.ssllabs.com/ssltest/analyze.html?d=ruleqa.spamassassin.org
# cat /etc/letsencrypt/renewal/spamassassin.org.conf
[renewalparams]
pref_challs = dns-01,
manual_auth_hook = /etc/letsencrypt/acme-dns-auth.py
# head /etc/letsencrypt/acme-dns-auth.py
.
.
.
# URL to acme-dns instance
ACMEDNS_URL = "https://auth.acme-dns.io";
Dave
