github.com/teknogeek/dnscontrol@v0.2.8/docs/lets-encrypt.md (about) 1 --- 2 layout: default 3 title: Let's Encrypt Certificate generation 4 --- 5 6 # *Let's Encrypt* Certificate generation 7 8 The `dnscontrol get-certs` command will obtain or renew TLS certificates for your managed domains via [*Let's Encrypt*](https://letsencrypt.org). This can be extremely useful in situations where other acme clients are problematic. Specifically, this may be useful if: 9 10 - You are already managing dns records with DnsControl. 11 - You have a large number of domains or dns providers in complicated configurations. 12 - You want **wildcard** certificates, which *require* dns validation. 13 14 At stack overflow we have dual-hosted dns, with most domains having four nameservers from two different cloud DNS providers. DnsControl uses 15 the exact same code as the core DnsControl commands to issue certificates. This means is will work the same regardless of your domain layout or what providers you use. 16 17 ## General Process 18 19 The `get-certs` command does the following steps: 20 21 1. Determine which certificates you would like issued, and which names should belong to each one. 22 1. Look for existing certs on disk, and see if they have sufficient time remaining until expiration, and that the names match. 23 1. If updates are needed: 24 1. Request a new certificate from the acme server. 25 1. Receive a list of validations to fill. 26 1. For each validation (usually one per name on the cert): 27 1. Create a TXT record on the domain with a given secret value. 28 1. Wait until the authoritative name servers all return the correct value (polls locally). 29 1. Tell the acme server to validate the record. 30 1. Receive a new certificate and save it to disk 31 32 Because DNS propagation times vary from provider to provider, and validations are (currently) done serially, this process may take some time. 33 34 ## certs.json 35 36 This file should be provided to specify which names you would like to get certificates for. You can 37 specify any number of certificates, with up to 100 SAN entries each. Subject names can contain wildcards if you wish. 38 39 The format of the file is a simple json array of objects: 40 41 ``` 42 [ 43 { 44 "cert_name": "mainCert", 45 "names": [ 46 "example.com.com", 47 "www.example.com" 48 ] 49 }, 50 { 51 "cert_name": "wildcardCert", 52 "names": [ 53 "example.com", 54 "*.example.com", 55 "*.foo.example.com", 56 "otherdomain.tld", 57 "*.otherdomain.tld" 58 ] 59 } 60 ] 61 ``` 62 63 `get-certs` will attempt to issue any certificates referenced by this file, and will renew or re-issue if the certificate we already have is 64 close to expiry or if the set of subject names changes for a cert. 65 66 ## Working directory layout 67 The `get-certs` command is designed to be run from a working directory that contains all of the data we need, 68 and stores all of the certificates and other data we generate. 69 70 You may store this directory in source control or wherever you like. At Stack Overflow we have a dedicated repository for 71 certificates, but we take care to always encrypt any private keys with [black box](https://github.com/StackExchange/blackbox) before committing. 72 73 The working directory should generally contain: 74 75 - `certificates` folder for storing all obtained certificates. 76 - `.letsencrypt` folder for storing *Let's Encrypt* account keys, registrations, and other metadata. 77 - `certs.json` to describe what certificates to issue. 78 - `dnsconfig.js` and `creds.json` are the main files for other dnscontrol commands. 79 80 ``` 81 ┏━━.letsencrypt 82 ┃ ┗━(*Let's Encrypt* account keys and metadata) 83 ┃ 84 ┣━━certificates 85 ┃ ┣━━mainCert 86 ┃ ┃ ┣━mainCert.crt 87 ┃ ┃ ┣━mainCert.json 88 ┃ ┃ ┗━mainCert.key 89 ┃ ┗━━wildcardCert 90 ┃ ┣━wildcardCert.crt 91 ┃ ┣━wildcardCert.json 92 ┃ ┗━wildcardCert.key 93 ┃ 94 ┣━━certs.json 95 ┣━━creds.json 96 ┗━━dnsconfig.js 97 ``` 98 ## Command line flags 99 100 ### Required Flags 101 102 - `-email test@example.com`: Email address to use for *Let's Encrypt* account registration. 103 - `--agreeTOS`: Indicates that you agree to the [*Let's Encrypt* Subscriber Agreement](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf) 104 105 ### Optional Flags 106 107 - `-acme {url}`: URL of the acme server you wish to use. For *Let's Encrypt* you can use the presets `live` or `staging` for the standard services. If you are using a custom boulder instance or other acme server, you may specify the full **directory** url. Must be an acme **v2** server. 108 - `-renew {n}`: `get-certs` will renew certs with less than this many **days** remaining. The default is 15, and certs will be renewed when they are within 15 days of expiration. 109 - `-dir {d}`: Root directory holding all certificate and account data as described above. Default is current working directory. 110 - `-certConfig {j}`: Location of certificate config json file as described above. Default is `./certs.json` 111 - `-skip {p}`: DNS Provider names (comma separated) to skip using as challenge providers. We use this to avoid unnecessary changes to our backup or internal dns providers that wouldn't be a part of the validation flow. 112 - `--verbose`: enable some extra logging from the [acme library](https://github.com/xenolf/lego) that we use. 113 - `-js {dnsconfig.js}`, `-creds {creds.json}` and other flags to find your dns configuration are the same as used for `dnscontrol preview` or `push`. `get-certs` needs to read the dns config so it knows which providers manage which domains, and so it can make sure it is not going to make any destructive changes to your domains. If the `get-certs` command needs to fill a challenge on a domain that has pending corrections, it will abort for safety. You can run `dnscontrol preview` and `dnscontrol push` at that point to verify and push the pending corrections, and then proceed with issuing certificates. 114 115 ## Workflow 116 117 This command is intended to be just a small part of a full certificate automation workflow. It only issues certificates, and explicitly does not deal with certificate storage or deployment. We urge caution to secure your private keys for your certificates, as well as the *Let's Encrypt* account private key. We use [black box](https://github.com/StackExchange/blackbox) to securely store private keys in the certificate repo. 118 119 This command is intended to be run as frequently as you desire. One workflow would be to check all certificates into a git repository and run a nightly build that: 120 121 1. Clones the cert repo, and the dns config repo (if separate). 122 2. Decrypt or otherwise obtain the *Let's Encrypt* account private key. Dnscontrol does not need to read any certificate private keys to check or issue certificates. 123 3. Run `dnscontrol get-certs` with appropriate flags. 124 4. Encrypt or store any new or updated private keys. 125 5. Commit and push any changes to the cert repo. 126 6. Take care to not leave any plain-text private keys on disk. 127 128 The push to the certificate repo can trigger further automation to deploy certs to load balancers, cdns, applications and so forth.