Okta: Automate certificate update on custom domains with Lets Encrypt and GoDaddy

Custom domains in Okta require TLS certificates to enable a secure HTTPS connection. Automating certificate renewal and configuration is important to enabling an always-on infrastructure.

As Okta released the Domains API, I wanted to automate my setup with Lets Encrypt and certbot as soon as possible. My former domain provider (Strato) didn't allow me to use APIs for setting the DNS, I decided to move to GoDaddy.

This blog post will describe how to setup a cron job to automate the certificate renewal in Okta with GoDaddy, Let's Encrypt, and certbot.

Prerequisites

For this to work, you need the following:

  • A system that can execute cron jobs
  • Certbot installed on that system
  • A GoDaddy Domain
  • An Okta tenant with a configured custom domain

I used the system user root for the cron job, so I expect to have all the necessary rights on my Linux machine

Get your Okta and GoDaddy API keys

Get an Okta API key by going into your Okta Admin Dashboard: 

URL: https://<tenantSubdomain>-admin.okta.com/

Security -> API -> Tokens -> Create Token -> Enter a name and save the API key

Get a GoDaddy API key by going to: https://developer.godaddy.com/keys

Create New API Key -> Enter a name and choose 'Production' -> Save Key and Secret

Setup

On your destination system clone my repo:

git clone https://github.com/tohcnam/certbot-godaddy-okta.git /opt/certbot-godaddy-okta

Configure the settings file with

cd /opt/certbot-godaddy-okta
nano certbot-settings.sh

Configure your custom domain: 

############################################################
# Domain settings
DOMAIN="example.com"
SUBDOMAIN="example"
EMAIL="example@example.com"
############################################################

Configure the GoDaddy settings: 

############################################################
# GoDaddy API settings
GODADDY_API_KEY=""
GODADDY_API_SECRET=""
GODADDY_URL="https://api.godaddy.com/"
############################################################

Configure the Okta settings: 

############################################################
# Okta API settings
OKTA_API_KEY=""
OKTA_ORG_URL="https://YourOktaUrl.okta.com"
############################################################

Save the file and exit.

Change the rights for the settings file, so that only root can read it (since you're storing credentials in it): 

chown root:root certbot-settings.sh
chmod 700 certbot-settings.sh

Execution

By executing the file certbot-run.sh you can test the flow already. The script will do the following: 

  1. Start the certificate renewal flow with Let's Encrypt and the DNS challenge
  2. Setting the TXT DNS record in GoDaddy
  3. Wait for 30s (just to be sure)
  4. Retrieve the new cert from Lets Encrypt and store it locally
  5. Deploy the new cert in your Okta tenant

After everything was tested successfully, lets set up cron: 

crontab -e

Add the following line at the end: 

0 0 */15 * * /path/to/certbot-run.sh > /dev/null 2>&1

Save and exit.

Note: With this, a new certificate will be generated on 15. and 30. of a month. I decided to go in this 2-week schedule, to be sure, that the Okta API won't get disabled (Okta will disable an API key if not used at least once in 30 days).