Setup and automatic renewal of wildcard SSL certificates for Kubernetes with Certbot and NSD

1 minute read

Wildcard SSL certificates cover all subdomains under a certain domain - e.g. *.k8s.example.net will cover recognyze.k8s.example.net, inscripits.k8s.example.net, etc. which is very useful, if Kubernetes is used to deploy such services.

Prerequisites

The following guide assumes that you

  • delegate DNS for the prefix domain (in the example above k8s.example.net) to a separate zone file
  • which is managed by NSD (depending on your setup you might use the same NSD server, a separate instance, or even a server on another host).

Steps

  1. add a name server (NS) entry to your domain configuration that delegates DNS for the prefix domain to a given NSD server.
    k8s  3600    IN      NS      k8s-server.example.net.
    
  2. setup the NSD configuration and zone file for the prefix domain. The _acme-challenge entry will be overwritten by Cerbot during the DNS-01 challenge verification process.
    • /etc/nsd/nsd.conf:
      zone:
              name: k8s.example.net
              zonefile: /etc/nsd/zones/k8s.example.net.zone
      
    • /etc/nsd/zones/k8s.example.net:

      @                3660 IN    SOA nameserver.example.net. hostmaster.example.net. 2014111364 28800 7200 604800 3660
      @               84600 IN    NS  1.2.3.4
      @                3600 IN    A   1.2.3.4
      *                3600 IN    A   1.2.3.4
      _acme-challenge    60 IN    TXT "--temporary-dummy--"
      
  3. install the certbot-nsd-hook script to /opt:
    cd /opt
    git clone https://github.com/AlbertWeichselbraun/certbot-nsd-hook.git
    
  4. create the SSL wildcard certificate with
    cerbot certonly \
           -d '*.k8s.example.net'  \
           --manual  \
           --manual-auth-hook="/opt/certbot-nsd-hook/nsd-update-dns.py" \
           --post-hook="systemctl reload apache2"
    
  5. adapt your apache2 configuration to use the wildcard certificate
    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/k8s.example.net/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/k8s.example.net/fullchain.pem
    
  6. add Certbot to /etc/crontab to ensure that the certificate gets automatically renewed
    17 5  * * *   root    certbot renew --cert-name k8s.semanticlab.net
    

    Note: the option --cert-name allows you to specify the certificate to renew. This is relevant if your server uses wildcard and conventional certificates at the same time, since the certbot renew command does not allow mixing of renewal strategies yet.

Resources