Skip to content

Latest commit

 

History

History
177 lines (168 loc) · 4.21 KB

README.md

File metadata and controls

177 lines (168 loc) · 4.21 KB

How to Setup Auto-Renew for Letsencrypt WILDCARD Certificate with DNS challenge?

YouTube Tutorial

Allocate Elastic IP to EC2 Instance

  • Add tag Name = server

Create Ubuntu EC2 Instance

  • Launch Ubuntu 20.04 EC2 instance
  • Create server SG
  • Create devops key pair
  • Associate Elastic IP address with EC2
  • Update devops key pair permissions
chmod 400 devops.pem
  • SSH to the EC2 instance
ssh -i devops.pem ubuntu@<public-ip>

Install acme-dns Server

  • Create folder for acme-dns and change directory
sudo mkdir /opt/acme-dns
cd !$
  • Download and extract tar with acme-dns from GitHub
sudo curl -L -o acme-dns.tar.gz \
https://github.com/joohoi/acme-dns/releases/download/v0.8/acme-dns_0.8_linux_amd64.tar.gz
sudo tar -zxf acme-dns.tar.gz
  • List files
ls
  • Clean Up
sudo rm acme-dns.tar.gz
  • Create soft link
sudo ln -s \
/opt/acme-dns/acme-dns /usr/local/bin/acme-dns
  • Create a minimal acme-dns user
sudo adduser \
--system \
--gecos "acme-dns Service" \
--disabled-password \
--group \
--home /var/lib/acme-dns \
acme-dns
  • Update default acme-dns config compare with IP from the AWS console. CAn't bind to the public address need to use private one.
ip addr
sudo mkdir -p /etc/acme-dns
sudo mv /opt/acme-dns/config.cfg /etc/acme-dns/
sudo vim /etc/acme-dns/config.cfg
  • Move the systemd service and reload
cat acme-dns.service
sudo mv \
acme-dns.service /etc/systemd/system/acme-dns.service
sudo systemctl daemon-reload
  • Start and enable acme-dns server
sudo systemctl enable acme-dns.service
sudo systemctl start acme-dns.service
  • Check acme-dns for posible errors
sudo systemctl status acme-dns.service
  • Use journalctl to debug in case of errors
journalctl --unit acme-dns --no-pager --follow
  • Create A record for your domain
auth.devopsbyexample.io IN A <public-ip>
  • Create NS record for auth.devopsbyexample.io pointing to auth.devopsbyexample.io. This means, that auth.devopsbyexample.io is responsible for any *.auth.devopsbyexample.io records
auth.devopsbyexample.io IN NS auth.devopsbyexample.io
  • Test acme-dns server (Split the screen)
journalctl -u acme-dns --no-pager --follow
  • From local host try to resolve random DNS record
dig api.devopsbyexample.io
dig api.auth.devopsbyexample.io
dig 7gvhsbvf.auth.devopsbyexample.io

Install acme-dns-client

sudo mkdir /opt/acme-dns-client
cd !$

sudo curl -L \
-o acme-dns-client.tar.gz \
https://github.com/acme-dns/acme-dns-client/releases/download/v0.2/acme-dns-client_0.2_linux_amd64.tar.gz

sudo tar -zxf acme-dns-client.tar.gz
ls
sudo rm acme-dns-client.tar.gz
sudo ln -s \
/opt/acme-dns-client/acme-dns-client /usr/local/bin/acme-dns-client

Install Certbot

cd
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Get Letsencrypt Wildcard Certificate

  • Create a new acme-dns account for your domain and set it up
sudo acme-dns-client register \
-d devopsbyexample.io -s http://localhost:8080
dig _acme-challenge.devopsbyexample.io
  • Get wildcard certificate
sudo certbot certonly \
  --manual \
  --test-cert \
  --preferred-challenges dns \
  --manual-auth-hook 'acme-dns-client' \
  -d *.devopsbyexample.io
sudo openssl x509 -text -noout \
-in /etc/letsencrypt/live/devopsbyexample.io/fullchain.pem
  • Renew certificate (test)
sudo certbot renew \
  --manual \
  --test-cert \
  --dry-run \
  --preferred-challenges dns \
  --manual-auth-hook 'acme-dns-client'
dig -t txt _acme-challenge.devopsbyexample.io

Setup Auto-Renew for Letsencrypt WILDCARD Certificate

  • Setup cronjob
sudo crontab -e
0 */12 * * * certbot renew --manual --test-cert --preferred-challenges dns --manual-auth-hook 'acme-dns-client'

Clen Up

  • Terminate EC2 Instance
  • Delete devops key pair
  • Delete server SG
  • Release server Elastic IP
  • Delete DNS records from google domains

Links