OK, I’ve pushed the releases to my repo; if you have these packages installed, you should see an update notification tomorrow morning.
Before upgrading, if you previously configured the API to use HTTPS, you must remove the CNAME record you created for
_acme-challenge.acme.example.com. This was needed when using an external ACME client to obtain the cert (as I’d documented in the wiki), but now will interfere with acme-dns obtaining its own cert.
When you install nethserver-acme-dns 0.2, by default, it will configure acme-dns to obtain its API certificate from the Let’s Encrypt staging server. This is to avoid exceeding the Let’s Encrypt rate limits when you’re testing things out (and possibly needing to fix things). After you install, give the system a couple of minutes to set itself up and obtain its cert, then test it using
openssl s_client -connect localhost:8675. It should connect successfully, and show you a cert from the Let’s Encrypt Staging CA.
If you were able to connect successfully and see that certificate, it means everything in the certificate process is working properly. Now switch to the Let’s Encrypt production CA by running
config setprop acme-dns-api TLSType letsencrypt, followed by
signal-event nethserver-acme-dns-update. After you’ve given it a few minutes to settle down, verify the cert again by running the same
openssl command. It should show you similar output, but note that the cert was issued by “Let’s Encrypt Authority X3”. If that works, you’re good to go.
Acme-dns will now obtain and renew its own certificate. Once you’ve confirmed that’s all working properly, you should remove the cert you’d previously obtained using
certbot delete (or an equivalent command for whatever other client you may have used). You’ll then want to clean up the config database entries using
config setprop acme-dns-api FullchainPath "" KeyPath "".
I’ll be updating the wiki shortly (edit: done). I’d appreciate any testing; let me know of any issues here.
Now to see if I can wrap my head around this Cockpit thing to get a panel in there…