The following ACME challenge types are supported:
The dn42 endpoint serves certificates signed by an intermediate certificate issued by the dn42 certificate authority.
Note that certificates are issued with a validity period of 30 days, which is shorter than most clearnet ACME services.
The recommended interval to check for expiry is 5 days.
The staging endpoint can be used for testing and issues junk certificates. The service uses an internal certificate authority that is specific to the staging service and should not be trusted.
The staging service issues short lived certificates with a validity period of a few days.
TODO A simpler process will be provided at a future stage, in the meantime the vault API can be queried manually to list issued certificates.
Vault provides an API for listing issued certificates, however the process for doing this is somewhat complicated if you have not used vault before. The instructions below detail how to interrogate the service using the vault CLI, however it is also possible to run through the same process via the HTTP API.
# The API endpoint to list issued certificates is an authenticated # endpoint that requires a vault token to access it. # # The burble.dn42 service includes an anonymous login that can be # used to obtain a suitable token. # set the VAULT_ADDR environment variable to the ACME service $ export VAULT_ADDR="https://acme.burble.dn42" # you can also set VAULT_SKIP_VERIFY=1 if you do not have the # dn42 certificate authority installed. # Issue an anonymous token and store it in the VAULT_TOKEN env variable $ export VAULT_TOKEN=$(vault write -field token auth/approle/login role_id=anonymous) # now the vault API can be accessed # list issued certificates $ vault list dn42/certs Keys ---- 06:72:54:74:02:eb:68:da:62:76:14:92:b4:84:19:36:b1:d1:d0:5c 0c:bb:39:a0:0a:aa:9c:d9:06:e8:9e:87:ff:54:73:c4:a6:42:9c:f0 13:91:4f:f7:3a:0b:ca:38:cd:c6:6e:7d:4d:fb:c5:7c:ed:b0:79:1b 39:5c:46:16:27:d8:f7:30:cc:64:1a:3c:6c:ff:c4:ac:f9:3c:3c:9c 4b:24:32:48:d0:64:55:3b:dd:b3:00:c6:33:2d:0f:3e:eb:d7:50:02 4c:8f:ce:e6:18:7a:05:c1:a3:11:45:c9:3c:34:0f:50:e0:75:6d:fd 5a:03:a9:5b:07:60:d0:fb:25:28:4b:e9:93:a8:22:cd:78:d1:29:b2 5d:26:b4:47:59:0c:0a:e9:88:b6:97:1d:2a:2b:e5:cb:d2:90:34:9e 65:c8:33:07:fc:9a:aa:fd:85:6b:fd:b4:de:29:71:e3:8e:6c:f2:11 68:e1:a6:4a:e1:58:ee:71:c7:a6:12:48:e2:7a:c5:84:c1:7c:21:5e 75:cf:16:f9:06:71:ea:86:1c:51:95:89:c9:1d:ea:a1:eb:f5:6f:83 76:91:6e:6a:23:14:00:7c:5f:c7:de:91:c4:40:73:d9:51:b4:f8:4d # view an invidual certificate $ vault read -field certificate "dn42/cert/76:91:6e:6a:23:14:00:7c:5f:c7:de:91:c4:40:73:d9:51:b4:f8:4d" -----BEGIN CERTIFICATE----- MIIDTTCCAjWgAwIBAgIUdpFuaiMUAHxfx96RxEBz2VG0+E0wDQYJKoZIhvcNAQEL BQAwVTELMAkGA1UEBhMCWEQxDTALBgNVBAoTBGRuNDIxFDASBgNVBAsTC2J1cmJs ...snip... yait1CFFq4g9/bvsNfIsvN6EJ/BGXqqww6BzKt/ioSLj -----END CERTIFICATE----- # human readable output using the step CLI (https://smallstep.com/) $ vault read -field certificate "dn42/cert/06:72:54:74:02:eb:68:da:62:76:14:92:b4:84:19:36:b1:d1:d0:5c" | step certificate inspect Certificate: Data: Version: 3 (0x2) Serial Number: 36803586486229131299250018793512622456839458908 (0x672547402eb68da62761492b4841936b1d1d05c) Signature Algorithm: SHA256-RSA Issuer: C=XD,O=dn42,OU=burble.dn42,CN=burble.dn42 staging ACME Validity Not Before: Oct 2 18:21:36 2023 UTC Not After : Nov 3 18:22:06 2023 UTC Subject: CN=drone.git.dn42 Subject Public Key Info: Public Key Algorithm: RSA Public-Key: (4096 bit) Modulus: ...snip... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: Server Authentication X509v3 Subject Key Identifier: 01:4A:7E:02:F3:B7:78:03:66:F9:21:97:4B:31:34:7C:31:DE:BB:86 X509v3 Authority Key Identifier: keyid:94:D1:C3:60:C7:88:81:A6:8C:37:AE:40:42:22:48:6B:5F:36:8F:CC Authority Information Access: OCSP - URI:https://acme.burble.dn42/v1/dn42/ocsp CA Issuers - URI:https://acme.burble.dn42/v1/dn42/ca X509v3 Subject Alternative Name: DNS:drone.git.dn42 X509v3 CRL Distribution Points: Full Name: URI:https://acme.burble.dn42/v1/dn42/crl Signature Algorithm: SHA256-RSA ...snip...
The cluster currently runs on the following nodes:
At any time the cluster has one leader which processes all requests and replicates state to the cluster members. The leader node automatically switches to one of the backup servers should a failure occur.
The traefik load balancer runs health checks against the vault servers and automatically redirects users to the vault cluster leader.
See the vault HA reference architecture for more details.