Skip to content

Let's Encrypt Wildcard Certificates with Designate

OpenStack Designate can be used as a DNS-01 challenge provider for Let's Encrypt's ACME protocol. This allows you to automatically request and renew wildcard certificates (*.example.com) without manual intervention — the ACME client creates a TXT record in your Designate zone to prove domain ownership.

This guide covers two methods:

  • LEGO — a lightweight Go binary, no dependencies.
  • certbot — the popular Python-based ACME client.

Prerequisites

Method 1: LEGO

LEGO is a standalone Go binary with built-in support for OpenStack Designate as a DNS provider. It requires no runtime dependencies.

Install LEGO

# Download the latest release
wget https://github.com/go-acme/lego/releases/download/v5.2.2/lego_v5.2.2_linux_amd64.tar.gz
tar xzf lego_v5.2.2_linux_amd64.tar.gz

Request a wildcard certificate

DOMAIN=example.com

export OS_CLOUD=my-cloud
export DESIGNATE_ZONE_NAME="${DOMAIN}."
export OS_REGION_NAME=ch-ge1

./lego run \
  --email admin@${DOMAIN} \
  --accept-tos \
  --dns designate \
  --domains "*.${DOMAIN}" \
  --domains ${DOMAIN}

List certificates

ls -l .lego/certificates

Convert to PKCS12

openssl pkcs12 -passout "pass:" -export \
  -in _.${DOMAIN}.crt \
  -inkey _.${DOMAIN}.key \
  -out _.${DOMAIN}.p12

Debugging

Useful flags and environment variables for troubleshooting:

# Enable verbose HTTP logging
export GODEBUG=http2debug=2
export LEGO_LOG_LEVEL=debug

# Use the Let's Encrypt staging server (does not issue valid certs, but avoids rate limits)
./lego run --server https://acme-staging-v02.api.letsencrypt.org/directory ...

Method 2: certbot

certbot is the official Let's Encrypt client. The certbot-dns-openstack plugin adds Designate as a DNS provider.

Install certbot and dependencies

sudo apt install -y certbot
pip install python-designateclient certbot-dns-openstack zope

List available zones

Verify that certbot can reach your Designate zone:

export OS_CLOUD=my-cloud
openstack zone list

Request a wildcard certificate

DOMAIN=example.com
mkdir ~/letsencrypt

certbot -a dns-openstack certonly \
    --agree-tos \
    --register-unsafely-without-email \
    --work-dir ~/letsencrypt/work \
    --config-dir ~/letsencrypt/etc \
    --logs-dir ~/letsencrypt/log \
    --dns-openstack-propagation-seconds 60 \
    -d "*.${DOMAIN}" \
    -d "${DOMAIN}"

List certificates

ls -l ~/letsencrypt/etc/archive/*/*

Multiple domains

To request a certificate for multiple domains in one run, pass additional -d flags:

-d "*.example.com" -d "example.com" -d "*.api.example.com"

Using the certificate

In an Octavia Load Balancer

Convert the certificate to PKCS12 (see above), then store it as a Barbican secret and use it in a TERMINATED_HTTPS listener. See the Load Balancer guide for the full workflow.

In Kubernetes

Mount the certificate files as a Kubernetes Secret and reference them in your Ingress or Ingress controller. For automated certificate management inside Kubernetes, consider cert-manager with the ACME issuer and DNS-01 challenge.

Renewal

Both LEGO and certbot support automatic renewal:

# LEGO
./lego renew --dns designate --domains "*.example.com" --domains "example.com"

# certbot
certbot renew

Note

Wildcard certificates require DNS-01 validation and cannot be validated via HTTP-01.