Deploy and renew Lets Encrypt TLS certificates from a central server.
Supports apache2 and nginx HTTP challenges. Supports DNS challenges using joohoi's acme-dns and acme-dns-certbot.
- a systemd-based Linux server, for managing certificates, with Certbot and nginx installed
- relevant DNS records for the FQDNs you'll use
- ssh access to all servers
- if using HTTP challenges, ensure apache2 or nginx is installed on the servers hosting the certificates
- a modern version of Ubuntu on all servers
- acme-challenge.example.com as the domain for the certificate management server (CMS)
- portal.example.com as the domain name for our webserver using the certificate
This is a basic view of the certificate management using HTTP challenges.
- Using the deploy-cert script, the CMS will request a certificate for portal.example.com from Lets Encrypt.
- Lets Encrypt performs a DNS lookup for portal.example.com. Let's assume there are two DNS A records for portal.example.com in DNS - 10.1.1.1 and 10.2.2.2.
- Lets Encrypt will make an http request to one of the IP addresses from the DNS response.
- The webserver which receives the request will respond with a 301 redirect.
- Lets Encrypt honors the 301 redirect and sends the http request to the CMS.
- The CMS responds to the http challenge, Lets Encrypt validates the response and issues the certificate to the CMS.
- The certbot client stores the files locally on the CMS.
- The deploy-cert script finishes by copying the locally-stored certificate files to the webservers.
This is a basic view of the certificate management using DNS challenges.
- Using the deploy-cert script, the CMS will request a certificate for portal.example.com from Lets Encrypt.
- Lets Encrypt performs a DNS lookup for portal.example.com. Let's assume there are two DNS A records for portal.example.com in DNS - 10.1.1.1 and 10.2.2.2.
- acme-dns-auth.py will register an account with the acme-dns server.
- the acme-dns server creates a txt record for the domain
- you're prompted to create a CNAME record on your main DNS server(s) for _acme-challenge.portal.example.com that points to acme-challenge.example.com
- Lets Encrypt initiates a DNS challenge, the acme-dns server responds, Lets Encrypt validates the response and issues the certificate to the CMS
- The certbot client stores the files locally on the CMS
- The deploy-cert script finishes by copying the locally-stored certificate files to the webservers.
If you're using HTTP challenges, deploy-site.sh should be copied to the webserver(s) at path /home/certbot/.
deploy-cert.sh and renew-cert.sh should be copied to the CMS at path /home/certbot/.
Once you have the prerequsites taken care of, follow the steps found in setup-cert-mgmt-system.md.
Steps can be found in deploy-certificates.md.
The verify-http.sh script can be used to make sure that http is redirecting to https, https is responding, and the domain name matches the certificate.
The copy-cert.sh script can be used on the CMS if a certificate gets renewed, but the files aren't properly copied to the remote servers. Parameters are -d for the cert's domain name, and -h for the IPs of the remote hosts (use comma-space separated list for more than one host, and surround a set of hosts with single quotes. ex, -h '10.0.0.1, 10.0.0.2'). This script should be placed in the certbot user's home directory.