Generate letsencrypt wildcard certificates via local NSD server
This is a collection of simple POSIX shell scripts which will locally configure NSD name server and setup Certbot to validate via our local name server.
apk add nsd
This setup needs two name servers. The locally configured name server by these scripts and a remote name server which hosts your domains zonefile.
You need to register your local name server in your global zone file by adding the following lines:
ns-acme IN A xxx.xxx.xxx.xxx
acme NS ns-acme.domain.tld.
_acme-challenge IN CNAME acme-domain-tld.host.domain.tld
The authentication hook will automatically generate the zone file and the NSD configuration file for you.
You can add additional domains to generate certs/keys via this local name server. Simply add a CNAME to point to this name server like in the Global section above.
To automatically deploy certificates create a text file:
hosts/$domain/$hostname
with the following:
local server=user@host
local path=path-to-store-certs
local cmd="post command to execute on remote"
Make sure the user on the remote server can execute the command. To reload NGINX with OpenRC add this to /etc/sudoers.d/acme
acme ALL=(root) NOPASSWD: /sbin/rc-service nginx reload
Run setup.sh to setup Certbot for your wildcard
domain. This will automatically deploy your certificates and keys to your remote
servers configured in the deployment sections.
Add a weekly cronjob to check if certificates needs renew.
ln -s /path/to/cron.sh /etc/periodic/weekly/certbot-renew