If you’ve installed my acme-dns module on your server, you should be seeing an update notification in the next few days. The developer has released version 0.8, and I’ll be updating my nethserver-acme-dns module and releasing both shortly.
I don’t normally post release announcements, but 0.8 brings a significant change in functionality–acme-dns can now obtain its own TLS cert from Let’s Encrypt for the API, entirely on its own, using DNS validation. This means that, in almost all installations, there will be no need for you to obtain one separately, and you can (and probably should) delete the cert you’ve obtained in the past. If you got the cert using certbot, the certbot delete command will do the job; if you used a different client you’ll be on your own.
Note: You will also need to delete the CNAME record you should have created for _acme-challenge.acme.yourdomain.
The module will still support using a provided cert for HTTPS on the API, but I expect that will be a rare use case.
OK, I’ve pushed the releases to my repo; if you have these packages installed, you should see an update notification tomorrow morning.
Before upgrading, if you previously configured the API to use HTTPS, you must remove the CNAME record you created for _acme-challenge.acme.example.com. This was needed when using an external ACME client to obtain the cert (as I’d documented in the wiki), but now will interfere with acme-dns obtaining its own cert.
When you install nethserver-acme-dns 0.2, by default, it will configure acme-dns to obtain its API certificate from the Let’s Encrypt staging server. This is to avoid exceeding the Let’s Encrypt rate limits when you’re testing things out (and possibly needing to fix things). After you install, give the system a couple of minutes to set itself up and obtain its cert, then test it using openssl s_client -connect localhost:8675. It should connect successfully, and show you a cert from the Let’s Encrypt Staging CA.
If you were able to connect successfully and see that certificate, it means everything in the certificate process is working properly. Now switch to the Let’s Encrypt production CA by running config setprop acme-dns-api TLSType letsencrypt, followed by signal-event nethserver-acme-dns-update. After you’ve given it a few minutes to settle down, verify the cert again by running the same openssl command. It should show you similar output, but note that the cert was issued by “Let’s Encrypt Authority X3”. If that works, you’re good to go.
Acme-dns will now obtain and renew its own certificate. Once you’ve confirmed that’s all working properly, you should remove the cert you’d previously obtained using certbot delete (or an equivalent command for whatever other client you may have used). You’ll then want to clean up the config database entries using config setprop acme-dns-api FullchainPath "" KeyPath "".
I’ll be updating the wiki shortly (edit: done). I’d appreciate any testing; let me know of any issues here.
Now to see if I can wrap my head around this Cockpit thing to get a panel in there…