Add DNS server in servizi.linux.it to test an automation workflow for Sandstorm's certificate renewal
Unfortunately, Sandstorms (https://servizi.linux.it) requires a special "wildcard certificate" covering all sub-domains. So, Let's Encrypt requires a special extra verification step: before every renewal we also need to deploy a new TXT
token in our DNS zone.
Current Workaround and Full Context
TL;DR at the moment @valerio.bozzolan invests 5 minutes every 2 months to manually update this token.
Proposed Solution
-
evaluate "modern" Free Software DNS servers with nice APIs compatible with servizi.linux.it: answer, just BIND9 is compatible. lol -
write a stupid script that takes a token and puts that in BIND9 (done - see https://gitpull.it/T96 ) -
install BIND9 in server servizi.linux.it
(https://gitlab.com/ItalianLinuxSociety/ils-infrastructure/-/blob/main/INVENTORY.md#servers-inventory) - people who can do this: gnu, mte90, oirasor -
understand how to create a renewal hook with Let's Encrypt
Hours invested
LOL at some point there is a point of no return.
- Valerio: 5 minutes every 90 days
- 2020: ~1 hour
- 2021: ~40 minutes
- 2022: ~20 minutes
- 2024: ~20 minutes
Edited by Valerio Bozzolan