LEGO
- Canonical Telco
Channel | Revision | Published | Runs on |
---|---|---|---|
4/beta | 15 | 08 Oct 2024 | |
4/edge | 35 | Yesterday | |
4/edge | 34 | Yesterday |
juju deploy lego --channel 4/beta
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
22.04
Solving the DNS-01 Challenge
To get a certificate using the httpreq plugin and the DNS-01 challenge from a Certificate Authority that implements the ACME server, we need the following:
- The Lego Client
- TLS Certificates Requirer requiring a certificate for a domain name.
- DNS Agent with an HTTP API
- DNS Server (Bind as an example)
- Certificate Authority implementing the ACME protocol (ACME Server)
The diagram below shows how the certificate is acquired by a requirer for their domain name:
- The certificate requirer creates a CSR and sets the common name to the domain name that is requiring the certificate, and a request is initiated using the Lego client and the CSR.
- The Lego client sends the request to the ACME Server.
- The ACME Server will reply with a payload with the content that must be used by the user to create a TXT DNS record to prove their ownership of the domain.
- The Lego client makes a request towards the DNS agent to create a TXT DNS record.
- The DNS agent will create the TXT record.
- The DNS agent confirms the creation of the record through the status code.
- The ACME Client tells the ACME Server that the record is in place for the DSN-01 challenge.
- The ACME Server will validate the creation of the record.
- If the validation of the TXT record was successful, the server will issue the certificate towards the client.
- The client delivers the certificate to the requirer.