Skip to content

Why?

Jump to bottom
Brady Sullivan edited this page May 29, 2020 · 2 revisions

Why.

We have LOTS of different services running in various places. We have tens of public and private services, almost all of which are a subdomain of our company domain. For example, http://service.company.com, http://differentservice.company.com, http://wordpress.company.com etc.

Instead of using a long-lived wildcard TLS certificate, a la *.company.com, we want to use Let's Encrypt.

Let's Encrypt offers 2 ways to prove ownership of a domain. DNS challenge and HTTP challenge, both of which are required every 90 days for renewal. Every time you renew you get a new challenge token. This means, for every renewal for every service, it needs to be able to serve a new token over HTTP or it needs some way to add the token to it's DNS TXT record.

Automation is the only way to make this work reliably and effectively for an enterprise environment that runs 50-80 services.

The built-in auto renewal of Certbot's HTTP challenge works for 50% of all our services. The problem is those remaining.

Possible reasons HTTP challenge renewal doesn't work:

  1. The service is temperamental or otherwise not an easy service to change on the fly (VPN, ADFS, etc.) and something you either can't serve random HTTP over or something you can't just take down for 10 seconds to host a HTTP server real quick.

  2. The service is internal and there's no way for Let's Encrypt to reach your endpoint for auto HTTP challenge renewal (we could use self-signed but Let's Encrypt is easier for a smaller company to orchestrate).

So that leaves us with the obvious next solution being DNS challenge renewal. Certbot supports lots of different DNS providers, including Cloudflare (<3) which we use for this specific domain.

Cloudflare doesn't support subdomain level API tokens, only Global API tokens. This means these API tokens are more powerful than a Wildcard certificate is if exfiltrated by a bad actor. This leaves 10+ services with no good way of doing auto renewal for short lived certificates, unless we host our own internal CA maybe?

What do?

What do.

TLSential holds DNS API credentials so it can do automated Let's Encrypt renewal for configured sites/certificates.

  1. Configure a certificate for a domain (or list of domains),
  2. Set a renewal period (ie. every 45 days),
  3. Download the generated private key using a per-certificate passcode,
  4. Download the certificate on a regular basis for renewal.

This allows endpoints to never have certificates that are more powerful than necessary. It also limits exposure of any DNS credentials for your organization.

Clone this wiki locally