I finally founded an acme client I can use with acme-dns, with a gui for the team.
Currently testing with community release, we plan to buy a licence if I can achieve ssh connections through bastion.
Here is my workflow for ~ 200hosts :
- Add a host in certifytheweb, letsencrypt with dns challenge using acme-dns.
- Task 1 : push the pfx (full cert + key) on remote in /etc/ssl/certs/
- Task 2 : run a custom shell script which extract cert and key from pfx, move cert/key in correct location and archive the oldest.
- Task 3 : restart service using systemctl remotely.
Everything is working fine : cert generation, renewal, deployement and restart directly for this host. But, for security purposes we use a wallix bastion to open ssh connections on our servers.
With this proxy I can use a simple user with few ssh permissions (only scp on upload for example).
On my computer when I want to connect to a server I use this connection chain :
- remote host : IP.SSH.PROXY
- username : [email protected]:myusername
Then, I authenticate myself on the proxy with
username, proxy verify my credentials and permissions and it opens a root connection on remote.
Is there a way to deal with this setup ? Anyone already achieved to do it ?
By the way if it can’t works, I’ll drop ctw I think and I’ll use another linux client with acme-dns support, bye bye nice gui