Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-1151

Create DNS-based validation for ldap.jenkins.io

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: ldap
    • Labels:
      None
    • Similar Issues:

      Description

      The manually purchased ldap.jenkins.io SSL cert is soon expiring, it would be nice to just use DNS validation and letsencrypt for that

        Attachments

          Issue Links

            Activity

            Hide
            olblak Olivier Vernin added a comment -

            The procedure to obtain certficate with dns is quite cumbersome and need to be repeated manually every 2-3month.

            Basically we need to run ```docker run -i -t certbot/certbot certonly --manual -m infra@lists.jenkins-ci.org --agree-tos -d ldap.jenkins.io --preferred-challenges dns```

            while the command is running, we need to create a dns TXT record then we can finish the procedure.

            Each time we run this command, it generate a new TXT record value that need to be configured.

             

            If ldap had public ip and no webserver running on it, we can use standalone mode to request a new certificate

            Show
            olblak Olivier Vernin added a comment - The procedure to obtain certficate with dns is quite cumbersome and need to be repeated manually every 2-3month. Basically we need to run ```docker run -i -t certbot/certbot certonly --manual -m infra@lists.jenkins-ci.org --agree-tos -d ldap.jenkins.io --preferred-challenges dns``` while the command is running, we need to create a dns TXT record then we can finish the procedure. Each time we run this command, it generate a new TXT record value that need to be configured.   If ldap had public ip and no webserver running on it, we can use standalone mode to request a new certificate
            Hide
            rtyler R. Tyler Croy added a comment -

            Huh, I didn't realize we needed to run the manual TXT record change more than once.

             

            ldap.jenkins.io does have a public IP, perhaps we could run an Apache server just to perform the HTTP Letsencrypt challenge, and then make some changes behind the scenes to update slapd with the appropriate certificate?

            Show
            rtyler R. Tyler Croy added a comment - Huh, I didn't realize we needed to run the manual TXT record change more than once.   ldap.jenkins.io does have a public IP, perhaps we could run an Apache server just to perform the HTTP Letsencrypt challenge, and then make some changes behind the scenes to update slapd with the appropriate certificate?
            Hide
            olblak Olivier Vernin added a comment -

            We may use 'standalone' plugin which start a webserver on port 80 or 443 (depending the configuration)

            In that case we need to add a firewall rule for port 80/443

            And it's not possible to whitelist IP from letsencrypt which means that port 80 must be open to the wild

            Show
            olblak Olivier Vernin added a comment - We may use 'standalone' plugin which start a webserver on port 80 or 443 (depending the configuration) In that case we need to add a firewall rule for port 80/443 And it's not possible to whitelist IP from letsencrypt which means that port 80 must be open to the wild
            Hide
            rtyler R. Tyler Croy added a comment -

            I still would like to do this, but the rush is off. I had to buy a new certificate

            Show
            rtyler R. Tyler Croy added a comment - I still would like to do this, but the rush is off. I had to buy a new certificate
            Hide
            orrc Christopher Orr added a comment - - edited

            FWIW, I recently read about a AWS Lambda function that would run a tool like certbot once a day, and would use the Route53 API to put the required TXT record in place, if Let's Encrypt verification was required.  Perhaps there's an Azure equivalent.

            (though this would require migrating to Azure DNS, which I vaguely seem to recall was discussed recently…)

            Show
            orrc Christopher Orr added a comment - - edited FWIW, I recently read about a AWS Lambda function that would run a tool like certbot once a day, and would use the Route53 API to put the required TXT record in place, if Let's Encrypt verification was required.  Perhaps there's an Azure equivalent. (though this would require migrating to Azure DNS, which I vaguely seem to recall was discussed recently…)

              People

              Assignee:
              olblak Olivier Vernin
              Reporter:
              rtyler R. Tyler Croy
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: