If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Autocert support for issuing Let's Encrypt certificates using DNS verification

NEW
Assigned to

Status

Infrastructure & Operations
WebOps: SSL and Domain Names
5 months ago
5 months ago

People

(Reporter: atoll, Assigned: sidler)

Tracking

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4702])

(Reporter)

Description

5 months ago
Hi, I request Autocert support for issuing Let's Encrypt certificates using DNS verification, with enhancements to support usability in a frequent-renewal environment.

Autocert can make use of existing LE implementation code. There are two primary challenges of LE vs. Digicert: LE needs to be renewed and redeployed often, automatically; and, LE requires a TXT record to be set during the renewal process if http://hostname:80/.well-known/acme doesn't work (as it doesn't for internal DNS).

Assuming we convert all AWS and Heroku to their respective built-in free certificates, what we have left is primarily hosted in two places: on Zeus (external and internal certificates), and on fqdn:/etc/ssl/certs/fqdn.crt (internal certificates). Automatic deployment to Zeus is implemented for the former, but the latter needs more consideration and a plan.

So, I'd like Autocert to specifically support issuing valid LE certs using the DNS TXT record method. This would require an API call to Inventory/Infoblox to update a TXT record for LE verification. A cron would then eventually poll LE and get back the signed certificate rather than "TXT record not updated yet".

Doing all of this permits us to create certificates for any hostname under any domain name we control, for external and internal use, in an automated and low-maintenance fashion, fully replacing Digicert (and a chunk of spend) with free (Mozilla-sponsored) Let's Encrypt.

Updated

5 months ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4702]
(Assignee)

Updated

5 months ago
Assignee: server-ops-webops → sidler
Component: WebOps: Other → WebOps: SSL and Domain Names
(Reporter)

Comment 1

5 months ago
Note that this will be a very popular feature for other departments within Mozilla. We may be asked to grant non-Webops access to Autocert when this becomes available, so that customers can auto-update their server's certificates using Autocert instead of running certbot+inventory+dns+etc locally.
(Reporter)

Updated

5 months ago
See Also: → bug 1358682
You need to log in before you can comment on or make changes to this bug.