_acme-challenge.FQDN
is a CNAME pointing to FQDN._acme.netdef.org
_acme-challenge.pkg.netdef.org. IN CNAME pkg.netdef.org._acme.netdef.org.
_acme.netdef.org
- it does not matter if FQDN is under netdef.org
or not._acme.netdef.org
is served by ns-ch.netdef.org
(ONLY that server, there is no secondary, it makes no sense to have a secondary)certbot-key.
are enabled on that zonepython3-certbot-dns-rfc2136
module to put the challenges into DNS using that TSIG keycertbot certonly --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/01_deploy_pkg_servers.sh --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/tsig.conf --agree-tos --manual-public-ip-logging-ok -d deb-us.netdef.org -d pkg-us.netdef.org -d rpm-us.netdef.org
ns-ch
in /etc/letsencrypt/ssh_push_id
authorized_keys
on the package servers with command="/etc/letsencrypt/ssh_receive.sh"
restriction/etc/letsencrypt/ssh_receive.sh
saves the key and reloads nginxNOTE: the version of python3-certbot-dns-rfc2136
on ns-ch did not support CNAMEs and was manually patched and marked with apt-mark hold
.