Let's encrypt certificate for offline servers with OVH DNS

Let's encrypt provide free and easy SSL certificates. Nevertheless it need to verify that you own the machine. In order to do that we usually use HTTP verification with the .well-known directory.

But sometime our servers are not reachable from the internet. Therefore the HTTP validation is not possible. Hopefully there is another way the acme challenge can be validated: DNS validation.

In this post we will see how we can generate Let's encrypt SSL certificate for offline machine with DNS validation for domains hosts by OVH.

Certificate generation

Requirements

  • A domain name with its DNS hosted by OVH
  • curl (sudo apt-get install curl)
  • Python 2 or 3 and pip (sudo apt-get install python-pip)
  • python-ovh (pip install ovh)
  • dehydrated (git clone https://github.com/lukas2511/dehydrated)
  • OVH hook (git clone https://github.com/antoiner77/letsencrypt.sh-ovh)

API Key generation

We need API keys in order to use the hook script for the DNS validation. For that, register the application on [OVH API] (https://eu.api.ovh.com/createApp/).

We get two elements from the website: APP_KEY APP_SECRET

We need to put them in our ovh.conf file in the OVH hook script:

[default]
; general configuration: default endpoint
endpoint=ovh-eu

[ovh-eu]
; configuration specific to 'ovh-eu' endpoint
application_key=APP_KEY
application_secret=APP_SECRET
; uncomment following line when writing a script application
; with a single consumer key.
;consumer_key=MA_CLEFS

Now we need to generate the use token in order to validation our keys (you may need to had execution permissions to the script):

./ovhdns.py --init

We get an other link where we need to authenticate one more time. When it is done just press the ENTER key.

The script indicate the user token to insert in the ovh.conf file. Be sure to uncomment the line by deleting the ; at the beginning of the line.

The configuration file will be needed in the dehydrated folder, let's just create a symlink:

ln -s /home/user/letsencrypt.sh-ovh/ovh.conf /home/user/dehydrated/ovh.conf

The hook script configuration is finished, now let's configure the dehydrated script.

dehydrated configuration

In the domains.txt file, indicate the certificates that you want to generate. Each line will be a certificate but one certificate can be valid for several domains. For instance, the following configuration will generate two certificates each for two domains.

example.org www.example.org
gitlab.example.com wikimedia.example.com

Certificates generation

Just launch the dehydrated script (you may need to had execution permission):

./dehydrated -c -t dns-01 -k '/home/user/letsencrypt.sh-ovh/ovhdns.py'
  • -c (re)generate certificates, will renew them if they expire in less than one month
  • -t dns-01 use the DNS challenge for acme validation
  • -k use specific script for hook

The certificates are stored in /home/user/dehydrated/certs/.

Automatically renew certificates

In order to automatically renew certificate:

Create a symlink in order to use the certificate and the necessary key. This is the only moment where we will need root permissions. For instance, for the gitlab certificate we need gitlab.crt and gitlab.key:

# ln -s /home/user/dehydrated/certs/git.exemple.fr/fullchain.pem /etc/gitlab/ssl/gitlab.crt
# ln -s /home/user/dehydrated/certs/git.exemple.fr/privkey.pem /etc/gitlab/ssl/gitlab.key

Add the following line to the crontab (crontab -e):

0 15 * * * cd /home/user/dehydrated/; ./dehydrated  -c -t dns-01 -k '/home/user/letsencrypt.sh-ovh/ovhdns.py'

Source

https://ungeek.fr/letsencrypt-api-ovh/