Open arthurzenika opened 5 years ago
Yes indeed ... the complicated part being the interface with the DNS server. Do you know what kind of protocol / API is used in your example ?
I've managed to get something working for an internal yunohost instance, after running our procedure for certbot-dns (we can contribute some doc at some point if the upstream certbot is not enough)
120 cd /etc/yunohost/certs/y.intra.logilab.fr
121 rm crt.pem
124 ln -s /etc/letsencrypt/live/y.intra.logilab.fr/cert.pem crt.pem
126 rm key.pem
127 ln -s /etc/letsencrypt/live/y.intra.logilab.fr/privkey.pem key.pem
128 ln -s /etc/letsencrypt/live/y.intra.logilab.fr/fullchain.pem ca.pem
129 rm ca.pem
130 ln -s /etc/letsencrypt/live/y.intra.logilab.fr/fullchain.pem ca.pem
131 systemctl restart nginx
Is there a ticket somewhere to change the certificates from the web UI (for this usecase or when an company has their own PKI) ?
Hi , I have a similar problem , YNH is behind firewall and not reachable on 80/443
Currently I redirect both every 3 months for renew LE certificate
AFAIU this feature would enable auto LE cert renew ?
Yes, it would allow obtaining a LE certificate without exposing port 80
Could be ~doable now that 4.3 allows to interact with registrar API (assuming you provided the corresponding API key)
That would be great news for intranet deployments of yunohost. Thanks for thinking of this issue.
acme-tiny
won't support DNS-01 challenge.
We could change for acme-hooked which is a fork of acme-tiny ("drop-in replacement") and support DNS challenge.
https://github.com/acmesh-official/acme.sh could solve the problems easily. It comes with a lot of dns apis, is scriptable and the deployhook takes care of restarting services. I am using a custom deploy script to push a wildcard cert to at least 20 different machines (intranet stuff mostly) and I do not want these machines to be known on the certstream.
So I was looking into "how to get a Lets Encrypt wildcard certificate", hoping to address https://github.com/YunoHost/issues/issues/1634, and realized this requires the DNS-01 challenge ...
Looking further, I found that there's a PR on acme-tiny repo that implements the DNS-01 challenge (sort of - you need to provide a script). The diff is kinda simple and it wouldnt look too difficult to use this version : https://github.com/diafygi/acme-tiny/pull/238
Of course that would also imply (or you could call it "encourage" ;)) that people would add their DNS API key in YunoHost
Having read a number of the related issues such as #2089, #1357 and #1634, I agree that the certificate renewal could do with some further enhancements/improvements.
If one uses subdomains then they're affected by the lack of wildcard renewals, but also I wouldn't personally trust exposing something like Yunohost to the public Internet. So if access is only possible locally or over a VPN then HTTP-01 challenges are also problematic. It's possible to simply workaround with a reverse proxy handling TLS but for most users I suspect it would be nice to have this working in Yunohost and the UI.
In summary, the combination of DNS-01 challenges and supporting the --no-check option would permit a few extra common use cases that seem difficult today.
-- bvs
In my use case DNS-01 challenge was the only option, as I want to host yunohost server non-publicly, behind VPN. So I've generated certificate using certbot
and then linked generated certs to path in /etc/yunohost/certs/
I guess I need to repeat these steps for renewal.
Possibility of doing that from web admin panel would be really helpful.
Letsencrypt certificates can be generated using DNS records see https://certbot-dns-rfc2136.readthedocs.io/en/stable/ for further information.
For internal uses of yunohost (intranet) without a internal PKI it would be nice to have this mechanism available for generating certificates. This would require configuring the keys used to talk to the "public DNS server" of the company.