Dustin C. Hatch
77ce7aa5e7
The MinIO server for backups has special requirements for HTTPS. I want to use subdomains for bucket names, so the certificate must have a wildcard name, which requires using the DNS-01 challenge. Fortunately, it is actually pretty easy to use `nsupdate` with GSS-TSIG authentication to automate DNS record creation, and by default, all domain-member machines can create any records. Thus, using the `manual` auth plugin for `certbot` and a script to run `nsupdate`, obtaining the wildcard certificate is fairly straightforward. The biggest issue I encountered while developing this feature was caching of NXDOMAIN responses. There doesn't seem to be a way to change the TTL of the SOA record of the Active Directory DNS domain, which defaults to 3600, meaning NXDOMAIN responses are always cached for an hour. When adding a record using `nsupdate -g`, the tool always performs a SOA lookup of new name to find the target zone for it. Since the name does not exist yet, the domain controller responds with NXDOMAIN, which gets cached by the main DNS server. Thus, even after adding the record, the ACME server will not be able to resolve the name for up to an hour. We can a void this by explicitly setting the target zone. That would not work in a multi-domain forest, but fortunately, we do not have to worry about that. This role borrows some logic from the *postgresql-cert* role. Eventually, I probably want to combine some of the steps from both of these roles, possibly replacing the old *certbot* role.