IAM appliance - iam-letsencrypt-support

This package integrates IETF Certbot with IAM appliance.

RPM is built "the standard way" using bcv-rpmbuild container.

Services

This package does not contain any containerized service.

Filesystem layout

This package does not ship its own directory (sub)tress. It only uses those that were created by other packages.

Configuration files

  • /etc/sysconfig/iam-letsencrypt - here you can turn on (or off) certificate deploy hooks

Controlling the service

  • Issuance/change/revocation of certificates is managed with standard certbot commands. This is the way:

    • Issuance: certbot certonly --webroot --webroot-path /data/volumes/web-proxy/letsencrypt/ -d le1.bcvsolutions.eu -d le2.bcvsolutions.eu

    • Domain list (SANs) change (parameter --cert-name is mandatory!): certbot certonly --webroot --webroot-path /data/volumes/web-proxy/letsencrypt/ --cert-name le1.bcvsolutions.eu -d le1.bcvsolutions.eu -d le3.bcvsolutions.eu

  • Notes:

    • If the certificate deploy fails, the easiest way is to invoke the deploy procedure manually (using information from RENEWED_LINEAGE from the certbot output).

      [root@localhost ~]# export RENEWED_LINEAGE=/etc/letsencrypt/live/le1.bcvsolutions.eu
[root@localhost ~]# . /etc/sysconfig/iam-letsencrypt
[root@localhost ~]# /etc/letsencrypt/renewal-hooks/deploy/001_web-proxy-deploy.sh

      • Other way it is to set --force-renewal in the /etc/sysconfig/certbot file and then issue systemctl start iam-letsencrypt-renew.service. This is not viable if we have many certificates to handle (we can hit the LE API limits), though.

Dependencies

  • iam-app-web-proxy of version 0.7 or higher.

Kinks and quirks

  • IAM appliance expect to have only one LE certificate. This certificate can have multiple SANs.