This guide helps you set up certbot with plugin for OpenStack DNS (Designate) to validate LetsEncrypt certificates over DNS.
Below guide applies to Debian/Ubuntu:
- Install certbot and dns-openstack authenticator-plugin with pip
sudo apt install certbot python3-designateclient python3-pip
sudo pip3 install certbot-dns-openstack
- Download API-definition file trough Horizon. In order to do this you will need a API user. This can be created in the general cloud portal under “Access & Security -> API-users”.
- Log in to the OpenStack native UI “Horizon” (https://control.binero.cloud)
- “Go to “Project” -> “API Access”
- Click “Download OpenStack RC-file” and then “Download OpenStack clouds.yaml file”
- Save the file to
/etc/openstack/clouds.yaml
- Run the following commands (add your password to OpenStack within the quotation-marks immediately following “PASSWORD” at the beginning of the last line):
sudo -s
chown root:root /etc/openstack/clouds.yaml
chmod 600 /etc/openstack/clouds.yaml
PASSWORD=""; sed -i "/username: .*/a \ password: \"$PASSWORD\"" /etc/openstack/clouds.yaml
- You can now issue certificates like normally using certbot with the addition of
-a dns-openstack
to yourcertbot certonly
orcertbot run
commands, like:sudo certbot -a dns-openstack certonly -d example.domain
If you have existing certificates that you want to change the authenticator for, edit/etc/letsencrypt/renewal/example.domain.conf
and make sure the authenticator option is set to dns-openstack in the [renewalparams] section.