Haproxy + certbot renew + certificates

alesstimec · 12 April 2022 05:29

Hey,

Sorry, i don’t think certbot charm supports holding multiple certificates for a unit at the moment. That could certainly be a future improvement.

Cheers, Ales

erik-lonroth · 12 April 2022 05:36

The use-case is that a frontend haproxy (cluster) would serve for multiple domains - such as “unit1.example.com, unit2.example.com, unit3.example.com” etc. I guess.

emcp · 12 April 2022 06:56

Sup Erik,

For nginx it works quite well… we have multiple domains that we instantiate in NGINX… and certbot just auto-speaks to NGINX… prompting you one time which of those domains do you want to use TLS… maybe we can jump on a session later so I can see what HAProxy does differently. The certbot-mahrio charm doesnt track anything about the certs… it just installs certbot and then you have to intervene manually one time… but once that’s done it auto renews / edits NGINX automatically…

erik-lonroth · 12 April 2022 07:33

@joakimnyman @alesstimec and @emcp what about getting a short session together and discuss where we can take this?

We (Dwellir) have a concrete need for this so we are happy to drive the activity forward and supply resources if needed.

joakimnyman · 12 April 2022 19:00

@alesstimec It’s not about holding multiple certificates, I think… Let me explain. We use Route53 and have set up an alias for the dns challenge. Currently we use acme.sh https://github.com/acmesh-official/acme.sh. Using the docker container it would typically be like:

docker run --rm -it -v "$(pwd)/out":/acme.sh -e AWS_ACCESS_KEY_ID=xxx -e AWS_SECRET_ACCESS_KEY=xxx --net=host neilpang/acme.sh --issue --dns dns_aws --domain domain.com --domain-alias acme.domain.dev --email hello@domain.com

So with certbot, the domain for the certificate would be domain.com but for the challenge we want to use acme.domain.dev.

It seems like the charm does only support specifying --domains. And when I think about it, it might be that certbot itself does not support this. If that is the case it would of course be difficult to make the charm support it.

Note that I’m quite new to working with certificates.

Thanks!

joakimnyman · 12 April 2022 20:58

Looks like it has been some work on it a long time ago. https://github.com/certbot/certbot/pull/5350 Which was then moved to the branch https://github.com/certbot/certbot/tree/quinot/topic/dns-follow-cnames

emcp · 13 April 2022 17:08

with our charm for certbot… as of now we run

sudo certbot run

after which you are challenged with the question … which (autodetected via NGINX conf) domains do you want to attempt to retrieve certificates for… including sub-domains… I cannot speak on HAProxy but nginx integration is wonderful

you can see a juju powered webapp at

and my partner with little help got his subdomain wired into TLS as well

And auto-renewal is working as well… so its hands off after that one time execution… I havent looked into further automating say… the Q&A on which domains to enable since… it’s such a low value thing to work on