Re: [debops-users] Fwd: [ SSL concentrator hub ]

On Nov 07, Sergiusz Pawlowicz wrote: I think that this is two separate issues, assuming that you don't want to rely on DNS-01 authentication which currently is not supported natively by DebOps. 1. Allow Let's Encrypt CA to hit any nginx server from the round-robin to get the HTTP-01 auth token. This could be done by having a NFS share for /srv/www/sites/acme/ directory mounted on all nginx servers, with one server acting as the "ACME requestor". There might be issues with UID/GID mismatch between the hosts, if you hit his we can add UID/GID configuration to debops.pki for pki-acme user account and group, to mitigate this. The designated "ACME requestor" server makes the certificate request, Let's Encrypt gets the token from any nginx server in the round-robin, and the requestor gets the certificate, stored in /etc/pki/realms/. 2. Get the signed certificate to each PKI realm on each nginx server. We assume that the private key in the shared PKI realms on nginx servers is the same, you can do this by putting the private key in the realm configuration directory in the 'secret/pki/' directory, on the Ansible Controller. The same private key will be used to request the ACME certificates. Since the signed certificate is public, you could set up a server for it on a subdomain, for example acme.example.org, and publish the certificate from the "ACME requestor" server. Then, on the rest of the nginx servers run a cron script that periodically fetches the certificate and replaces it in the PKI realm. This would also be the solution with DNS-01 authentication done from one server that controls the DNS zone. A fancier solution would involve some message passing, for example with Mosquitto and a script that listens for a particular event. Perhaps the pki-realm script could be enhanced to be able to send Mosquitto events with some kind of hook system. Let us know what will you end up with. :-) Cheers, Maciej