ACME service

1. About

TL;DR

Let's Encrypt is a certificate authority that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4
acme.bfh.info 2a07:6b40::230 147.87.0.230

2.2 Backend

Warning

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.acme.bfh.info 2a07:6b40::231 147.87.0.231
node2.acme.bfh.info 2a07:6b40::232 147.87.0.232

3. Features

  • TODO

4. Operations

  • TODO

6. Backlog

Legacy

  • all cleanup acme-challenges DNS records

Setup

  • add wget/curl backend to dehydrated for multi-node-same-certificate-fingerprint use-cases

  • add push backend to renew certificates via redfish

  • finish and document dehyrated.bfh.info to fetch certificates with multi-node-same-fingerprint requirement

  • mainline all required changes and adaptations to dehydrated/dehydrated-tools

  • flush zone regularly via knot-tools

  • restricting backend subnet access to frontend and management only

  • fix HA failover

  • provide enduser documentationc

  • breakup knot.conf generation and use includes, so that zone snippets can be autogenerated from tsigs

  • regenerate containers with Debian 12

  • upgrade to current dehydrated/dehydrated-tools

Features

  • enable DNSSEC

  • anycasting acme.bfh.info

  • test environment

  • benchmarking

Known issues

  • no known issues