Automated Let's Encrypt certificates for Apigee Cloud

I have figured out how to automate the creation and upload of Let's Encrypt certs to Apigee Cloud as per this post: https://community.apigee.com/questions/70172/apigee-letsencrypt-and-http.html

There is plugin to create a temporary DNS server to respond to the LE DNS servers.

DNS Standalone plugin: https://github.com/siilike/certbot-dns-standalone

For this you will need to configure you DNS domain with a NS value pointing to the host you are running the script from, either on the internet or you must port forward UDP 53 to your internal host.

In this example I have two APIs

- api.site.com

- api2.site.com

And they have the alias in Apigee as "api" and "api2"

The DNS is configured with a minimum of 3 records, and you just add acme-challenge records for each host you want to issue certs for:

_acme-challenge.api.site.com - CNAME - myofficenameserver.site.com

myofficenameserver.site.com - NS - myoffice.site.com

myoffice.site.com - A - 123.456.789.1

Now to issue certs for api2 you add

_acme-challenge.api2.site.com - CNAME - myofficenameserver.site.com

It is important to reference the acme-challenge to CNAME reference a Nameserver NS record, as you can't CNAME to the main myoffice hostname A record. Then the myofficenameserver is the NS record pointing to a hostname ie myoffice.site.com.

Now that DNS is configured correctly you need two scripts to create the certs.

./cert.sh
#!/bin/bash

#Issue LES cert
#Variables
# 1 dns name
# 2 certificate alias in apigee
# 3 apigee username
# 4 endpoint including environment

certbot certonly --config-dir . --preferred-challenges dns --authenticator certbot-dns-standalone:dns-standalone -d $1
openssl pkcs12 -export -out $1.p12 -in live/$1/fullchain.pem -inkey live/$1/privkey.pem -certfile trustid-x3-root.pem.txt -passout pass:password
curl -X POST -u $3 -H "Content-Type: multipart/form-data" -F file="@$1.p12" -F password=password "$4/keystores/le-`date +'%Y%m%d'`/aliases?alias=$2&format=pkcs12"

And then the main script to call cert.sh

#!/bin/bash
#Replace Certs using LetsEncrypt DNS Challenge

apigeeuser="**USERNAME**:**PASSWORD**"
apigeetenant=**TENANT**
apigeeurl=https://api.enterprise.apigee.com/v1/o/$apigeetenant/e
letsencryptemail=**EMAILADDRESS**

#Register Letsencrypt
certbot register --non-interactive --agree-tos -m $letsencryptemail --config-dir .

#Download X3 Root CA
wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt

#Test
#Create keystore and set apigee environment 
apigeeenv=test
curl -X POST -u $apigeeuser -H "Content-Type: text/xml" $apigeeurl/$apigeeenv/keystores -d "<KeyStore name='le-`date +'%Y%m%d'`'/>"

#The First value is the dns domain, and the second is the alias name in Apigee, you also need a delay before calling certbot so add sleep each time.

./cert.sh api.site.com api $apigeeuser $apigeeurl/$apigeeenv
sleep 10
./cert.sh api2.site.com api2 $apigeeuser $apigeeurl/$apigeeenv

#Update reference "le-ref" to point to new keystore
curl -X PUT -u $apigeeuser --header "Content-Type: application/json" -d "{\"name\":\"le-ref\",\"refers\":\"le-`date +'%Y%m%d'`\",\"resourceType\":\"KeyStore\"}" "$apigeeurl/$apigeeenv/references/le-ref"

Then repeat the lines to issue as many certs as you need and specify the alias the certificate has in Apigee as the second value you use to call cert.sh

Hope this helps others with the issue of using LES certs on Apigee. It would be great if Apigee supported generating them internally.

Version history
Last update:
‎05-04-2020 01:55 PM
Updated by: