Question about proper configuration for Let's Encrypt certificates

[dxbwala]

Hello RouteDNS team/community,

I'm trying to configure RouteDNS to use Let's Encrypt certificates for various listeners. According to Let's Encrypt's documentation, the certificate files are typically stored at:

· Certificate: /etc/letsencrypt/live/example.com/fullchain.pem
· Private Key: /etc/letsencrypt/live/example.com/privkey.pem

In my RouteDNS configuration, I'm planning to use:

server-crt = "/etc/letsencrypt/live/test.domain.com/fullchain.pem"
server-key = "/etc/letsencrypt/live/test.domain.com/privkey.pem"

My questions:

1. Is this the correct way to reference Let's Encrypt certificates in RouteDNS?
2. Are there any permission issues I should be aware of (especially since Let's Encrypt files are typically owned by root)?
3. Should I use fullchain.pem (which includes intermediate certificates) or just cert.pem?

Thank you for your guidance on this matter!

[folbricht]

I don't have a way to test this currently but pointing to the path your LetsEncrypt client stores them at seems correct to me. And the way you used key vs crt loos fine as well, I think just using cert.pem rather than fullchain.pem would be better. Though you do need to find a way to let the user account that RouteDNS runs as access those files (unless you run it as root). How to do that really depends on your environment.

One thing to be aware of is that RouteDNS doesn't re-read the certs after startup. So whenever a new Letsencrypt cert is stored during a refresh, you'd need to restart RouteDNS. I think that by defaut happens every couple of months or so. Without restart, the cert would eventually expire.

Adding native support for the ACME protocol to RouteDNS (so it can get its own certs) would technically be possible, but I haven't looked into it)