ACME service

1. About

Let's Encrypt is a certificate authority that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4 2a07:6b40::230

2.2 Backend


Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4 2a07:6b40::231 2a07:6b40::232

3. Features

  • TODO

4. Operations

  • TODO

6. Backlog


  • all cleanup acme-challenges DNS records


  • add wget/curl backend to dehydrated for multi-node-same-certificate-fingerprint use-cases

  • add push backend to renew certificates via redfish

  • finish and document to fetch certificates with multi-node-same-fingerprint requirement

  • mainline all required changes and adaptations to dehydrated/dehydrated-tools

  • flush zone regularly via knot-tools

  • restricting backend subnet access to frontend and management only

  • fix HA failover

  • provide enduser documentationc

  • breakup knot.conf generation and use includes, so that zone snippets can be autogenerated from tsigs

  • regenerate containers with Debian 12

  • upgrade to current dehydrated/dehydrated-tools


  • enable DNSSEC

  • anycasting

  • test environment

  • benchmarking

Known issues

  • no known issues