This is cribbed heavily from https://developer.epages.com/blog/tech-stories/managing-lets-encrypt-certificates-in-vault/ and tweaked to use rfc2136 instead of dnsimple and to run under nomad.
export VAULT_ADDR=https://vault.service.consul.sihnon.net:8200 export CERTBOT_TOKEN=$(vault token create -policy certbot-nomad -field token) docker run -ti -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$CERTBOT_NOMAD --entrypoint sh docker-registry.sihnon.net:5000/certbot-nomad:latest certbot register --non-interactive --agree-tos -m webmaster@example.com export ACCOUNT_PARENT_PATH=/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory export ACCOUNT_ID=$(ls $ACCOUNT_PARENT_PATH) vault kv put secret/lets-encrypt/account/extra_details "account_id=$ACCOUNT_ID" for i in meta private_key regr; do vault kv put "secret/lets-encrypt/account/$i" "@$ACCOUNT_PARENT_PATH/$ACCOUNT_ID/$i.json" done
export VAULT_ADDR=https://vault.service.consul.sihnon.net:8200 export CERTBOT_TOKEN=$(vault token create -policy certbot-nomad -field token) docker run -ti -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$CERTBOT_NOMAD --entrypoint sh docker-registry.sihnon.net:5000/certbot-nomad:latest source /usr/local/bin/initialise.sh certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/creds.ini --dns-rfc2136-propagation-seconds 210 --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/00-update-vault.sh -d www.benroberts.net
Waiting for verification... Challenge failed for domain www.benroberts.net dns-01 challenge for www.benroberts.net Cleaning up challenges Some challenges have failed.
One or more of the DNS servers are not up to date. Compare the SOA fields with:
# fish for f in triumph tracey santo georgia ns6.gandi.net; printf "%-20s" $f ; dig +short SOA sihnon.net @$f ; end
If one of them is behind, reload it. If ns6.gandi.net is behind, give it 60s to catch up, and if still lagging, reload one of the others arbitrarily to force a sync.