====== Origin ======


This is cribbed heavily from [[https://developer.epages.com/blog/tech-stories/managing-lets-encrypt-certificates-in-vault/]] and tweaked to use rfc2136 instead of dnsimple and to run under nomad.

====== Initial Setup =====

<code bash>
export VAULT_ADDR=https://vault.service.consul.sihnon.net:8200
export CERTBOT_TOKEN=$(vault token create -policy certbot-nomad -field token)
docker run -ti -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$CERTBOT_NOMAD --entrypoint sh docker-registry.sihnon.net:5000/certbot-nomad:latest
certbot register --non-interactive --agree-tos -m webmaster@example.com
export ACCOUNT_PARENT_PATH=/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
export ACCOUNT_ID=$(ls $ACCOUNT_PARENT_PATH)
vault kv put secret/lets-encrypt/account/extra_details "account_id=$ACCOUNT_ID"
for i in meta private_key regr; do
  vault kv put "secret/lets-encrypt/account/$i" "@$ACCOUNT_PARENT_PATH/$ACCOUNT_ID/$i.json"
done
</code>

====== Register new cert ======

<code bash>
export VAULT_ADDR=https://vault.service.consul.sihnon.net:8200
export CERTBOT_TOKEN=$(vault token create -policy certbot-nomad -field token)
docker run -ti -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$CERTBOT_NOMAD --entrypoint sh docker-registry.sihnon.net:5000/certbot-nomad:latest
source /usr/local/bin/initialise.sh
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/creds.ini --dns-rfc2136-propagation-seconds 210 --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/00-update-vault.sh  -d www.benroberts.net
</code>

===== Failures =====

<code>
Waiting for verification...
Challenge failed for domain www.benroberts.net
dns-01 challenge for www.benroberts.net
Cleaning up challenges
Some challenges have failed.
</code>

One or more of the DNS servers are not up to date. Compare the SOA fields with: <code>
# fish
for f in triumph tracey santo georgia ns6.gandi.net;
  printf "%-20s" $f ;
  dig +short SOA sihnon.net @$f ;
end
</code>

If one of them is behind, reload it. If ns6.gandi.net is behind, give it 60s to catch up, and if still lagging, reload one of the others arbitrarily to force a sync.