TLS Certificates (Certbot)
Cerbot is an opensource ACME client that can be used to generate trusted TLS certificates automating the interaction with Let’s Encrypt a free, automated, and open certificate authority (CA).
Certbot can be used to automate the issue and renewal of TLS certificates for Cluster external services (openWRT, Minio, Vault) not running within Kubernetnes cluster.
How does it work?
Certbot uses ACME Protocol to get certificates from Let’s Encrypt.
It supports both type of ACME Challenges (HTTP-01 and DNS-01)
DNS-01 Challenge
A Certbot plugin is needed to automate DNS-01 Challenge for different DNS providers
For example, CloudFlare provider requires certbot-dns-cloudflare
Note:
IONOS DNS provider is not one of the providers, supported out-of-the-box by certbot
certbot-dns-ionos is an implementation of such Cerbot plugin. Project repository: cerbot-dns-ionos project.
Installation
Cerbot can be installed in a python virtualenv.
Execute all the following commands from $HOME directory.
-
Step 1. Create Virtual Env for Letscrypt
python3 -m venv letsencrypt -
Step 2. Activate Virtual Environment
source letsencrypt/bin/activate -
Step 3. Upgrade
setuptoolsandpippackagespip3 install --upgrade pip setuptools -
Step 4. Install
certbotand any plugin required (i.e. certbot-ionos-pluginpip3 install certbot certbot-dns-ionos certbot-dns-cloudflare
Using DNS Challenge
IONOS as DNS Provider
A Certbot plugin, cerbot-dns-ionos, is needed to automate DNS challenge process. Plugin uses IONOS developer API, allowing the remote configuration of the DNS using a RESTFUL API.
Note:
To use IONOS developer API, first API key must be created.
Follow IONOS developer API: Get Started instructions to obtain API key.
API key is composed of two parts: Public Prefix (public key) and Secret (private key)
Configure Certbot
To configure IONOS as DNS provider
- Step 1: Install [cerbot-ionos-plugin]((https://github.com/helgeerbe/certbot-dns-ionos)
pip3 install certbot-dns-ionos - Step 2. Obtain IONOS Developer API
- Step 3. Create certbot working directories
mkdir -p letsencrypt/config
mkdir -p letsencrypt/logs
mkdir -p letsencrypt/.secrets
chmod 700 letsencrypt/.secrets
-
Step 4. Create ionos credentials file
letsencrypt/.secrets/ionos-credentials.inidns_ionos_prefix = myapikeyprefix dns_ionos_secret = verysecureapikeysecret dns_ionos_endpoint = https://api.hosting.ionos.comIn this file, IONOS API key prefix and secret need to be provided
-
Step 5. Change permission of
ionos-credentials.inifilechmod 600 letsencrypt/.secrets/ionos-credentials.ini
Certificate issue/renewal
Execute the following command:
letsencrypt/bin/certbot certonly \
--config-dir letsencrypt/config \
--work-dir letsencrypt \
--logs-dir letsencrypt/logs \
--authenticator dns-ionos \
--dns-ionos-credentials letsencrypt/.secrets/ionos-credentials.ini \
--dns-ionos-propagation-seconds 900 \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
--non-interactive \
--rsa-key-size 4096 \
-m <your-email> \
-d <host_dns>
Signed certificate will be stored in letsencrypt/config.
List certificates managed by Certbot
Certificates managed by certbot can be listed using the commad:
letsencrypt/bin/certbot certificates \
--config-dir letsencrypt/config \
--work-dir letsencrypt \
--logs-dir letsencrypt/logs \
Certificate and key path are showed. Also expiration date is showed.
Certificate renewal
To automatic renew the certificates the following command can be executed periodically in a cron
letsencrypt/bin/certbot/certbot renew