From e5179135aded92a9cd8b7e1ef9a549770ce2d053 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Aug 18 2022 13:02:30 +0000 Subject: added note for aws/route53 hosted zone and tls/letsencrypt cert Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/tls.md b/docs/security/tls.md index 895cad4..ade4ed5 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -198,6 +198,9 @@ acme.sh --issue --dns dns_nsupdate -d stg.centos.org -d '*.stg.centos.org' --cha ``` All certs/keys obtained through acme are under /root/.acme.sh/{hostname}/ so you'll then have to import those into this pkistore dir +!!! note + worth knowing that for AWS/Route53 hosted zones (as we now have some for CI infra and openshift), one can use `--dns dns_aws` [option](https://github.com/acmesh-official/acme.sh/wiki/dnsapi#10-use-amazon-route53-domain-api to request new TLS certs. And it will be automatic for renewal so nothing to worry aboutt + ##### For http challenge Normally we prefer DNS challenge, but there are corner cases like delegated records for which that would be problematic. That's the case for {buildlogs,cloud,vault}.centos.org nodes (delegated records to pdns/geoip)