Setup and automatic renewal of wildcard SSL certificates for Kubernetes with Certbot and NSD

1 minute read

Wildcard SSL certificates cover all subdomains under a certain domain - e.g. *.k8s.example.net will cover recognyze.k8s.example.net, inscripits.k8s.example.net, etc. which is very useful, if Kubernetes is used to deploy such services.

Prerequisites

The following guide assumes that you

delegate DNS for the prefix domain (in the example above k8s.example.net) to a separate zone file
which is managed by NSD (depending on your setup you might use the same NSD server, a separate instance, or even a server on another host).

Steps

add a name server (NS) entry to your domain configuration that delegates DNS for the prefix domain to a given NSD server.
```
k8s  3600    IN      NS      k8s-server.example.net.
```

setup the NSD configuration and zone file for the prefix domain. The _acme-challenge entry will be overwritten by Cerbot during the DNS-01 challenge verification process.

/etc/nsd/nsd.conf:

zone:
        name: k8s.example.net
        zonefile: /etc/nsd/zones/k8s.example.net.zone

/etc/nsd/zones/k8s.example.net:

@                3660 IN    SOA nameserver.example.net. hostmaster.example.net. 2014111364 28800 7200 604800 3660
@               84600 IN    NS  1.2.3.4
@                3600 IN    A   1.2.3.4
*                3600 IN    A   1.2.3.4
_acme-challenge    60 IN    TXT "--temporary-dummy--"

install the certbot-nsd-hook script to /opt:

cd /opt
git clone https://github.com/AlbertWeichselbraun/certbot-nsd-hook.git

create the SSL wildcard certificate with

cerbot certonly \
       -d '*.k8s.example.net'  \
       --manual  \
       --manual-auth-hook="/opt/certbot-nsd-hook/nsd-update-dns.py" \
       --post-hook="systemctl reload apache2"

adapt your apache2 configuration to use the wildcard certificate

SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/k8s.example.net/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/k8s.example.net/fullchain.pem

add Certbot to /etc/crontab to ensure that the certificate gets automatically renewed
```
17 5  * * *   root    certbot renew --cert-name k8s.semanticlab.net
```
Note: the option --cert-name allows you to specify the certificate to renew. This is relevant if your server uses wildcard and conventional certificates at the same time, since the certbot renew command does not allow mixing of renewal strategies yet.

Resources

certbot-nsd-hook project - Scripts required for using the certbot DNS challenge in conjunction with NSD

Share on

Twitter Facebook LinkedIn

Albert Weichselbraun

Setup and automatic renewal of wildcard SSL certificates for Kubernetes with Certbot and NSD

Prerequisites

Steps

Resources

Share on

Leave a comment

You may also enjoy

Extracting text (and annotations) from HTML with Python

Managing DavMail with systemd and preventing service timeouts after network reconnects.

Setting up Gnome CalDAV and CardDAV support with Radicale

Network-bound disk encryption in Ubuntu 20.04 (Focal Fossa) - Booting servers with an encrypted root file system without user interaction.