SSLCertificates Infoblox: Difference between revisions

From DaqWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
The firewall rules introduced early 2026 prevent SSL certificates being generated by certbot or letsencrypt because the ports needed to verify the hosts are behind the firewall. The DNS/DHCP wrapper infoblox can provides these certificates by authenticating the sites for letsencrypt through a user which has read/write only for text files, allowing the certificates to be read.  
The firewall rules introduced early 2026 prevent SSL certificates being generated by certbot or letsencrypt because the ports needed to verify the host are behind the firewall. The DNS/DHCP wrapper infoblox can provides these certificates by authenticating the sites for letsencrypt through a user which has read/write only for text files, allowing the certificates to be read.  


While [https://gitlab.triumf.ca/ist/util/certbot-infoblox full instructions can be found here], below we reproduce the simplest version of these commands in the context of the DAQ group:
While [https://gitlab.triumf.ca/ist/util/certbot-infoblox full instructions can be found here], below we reproduce the simplest version of these commands in the context of the DAQ group:

Revision as of 16:02, 28 April 2026

The firewall rules introduced early 2026 prevent SSL certificates being generated by certbot or letsencrypt because the ports needed to verify the host are behind the firewall. The DNS/DHCP wrapper infoblox can provides these certificates by authenticating the sites for letsencrypt through a user which has read/write only for text files, allowing the certificates to be read.

While full instructions can be found here, below we reproduce the simplest version of these commands in the context of the DAQ group:

On the machine for which you want to generate the certificate: 

git clone https://gitlab.triumf.ca/ist/util/certbot-infoblox.git
sudo ./certbox-infoblox/certbot_infoblox_installer

Edit the following file as root to fill in the dns_infoblox_username and dns_infoblox_password.

  • The username and password are specific to your zone (ucn, cmms, grsi, etc). They are NOT your TRIDENT credentials.
  • Contact IT for these values OR look at a machine that has already been set up.
vim /etc/letsencrypt/infoblox.ini


Assuming apache is running for a MIDAS instance: In the below:

  • Replace "myzone" with the appropriate zone. Ex: "ucn" or "cmms" such that letsencrypt@myzone.triumf.ca becomes letsencrypt@ucn.triumf.ca.
  • Replace "test1" with the machine name. Ex: "daq01".
/opt/certbot/venv/bin/certbot certonly --noninteractive --agree-tos --authenticator dns-infoblox --email letsencrypt@myzone.triumf.ca --domain test1.myzone.triumf.ca --renew-hook 'systemctl restart apache2'
Retrieved from "https://daq00.triumf.ca/DaqWiki/index.php?title=SSLCertificates_Infoblox&oldid=8870"