Certificates Redux

An earlier post talked about switching my server tarragon (where this blog sits) to a wildcard certificate from letsencrypt. There were two reasons why I was using a wildcard certificate. One had to do with test versions of websites that run on this server, and the need that some of those sites have for wildcards, of the form: bob.websitename.com, sally.websitename.com, etc. The other reason was that I have a lot of hosts (oregano, cinnamon, paprika, lemongrass) in addition to tarragon that “need” to have a certificate, for https, for imap, and for smtp, and when I was having to pay for them, it was cheaper to get one wildcard for wmbuck.net.

When I switched to letsencrypt, many things become easier, but in one respect things were more difficult. Letsencrypt and certbot make certificate renewal on tarragon automatic, and easy, but the renewals occur every few months, instead of every couple of years with the purchased ones. Suddenly I have a problem distributing the new certificate, when it renews, to all the other boxes. Doing it manually every two or three years is ok, but if it is going to happen every few months then it has to be automated . And automating it is made more difficult because the private key changes every time, and transferring secrets around automatically without recording a password in cleartext in scripts isn’t easy.

But taking a step back, why do I need certificates on these other boxes? What am I using them for?  All these boxes have a postfix instance, but, aside from oregano, they don’t actually receive mail. And is there any real reason why even oregano has to receive mail? I set it up ages ago, but I don’t really use it. I never really choose to send mail to dee@oregano.wmbuck.net. Plus oregano is almost always running a vpn these days, and inbound tcp connections to oregano are, accordingly, a pain in the neck.

Most of the boxes – pretty much all of them – operate a web server, but serving only .local addresses for testing code I’m writing. The only inbound https connection is to the media server on cinnamon.

So I got a separate certificate for oregano.wmbuck.net and media.wmbuck.net using certbot on the individual boxes, and let them get updated automatically by certbot. I will no longer attempt to move the *.wmbuck.net certificate around.

It raises a problem though, in automating the certbot renewals. Both of these new certs I got using manual authentication through dns. I can’t use apache, webroot or even standalone authentication on either oregano or cinnamon.

However, once the transition to route 53 dns is accomplished, I can renew with dns, e.g.:

certbot certonly --dns-route53 \
-d media.wmbuck.net