fix: refactor certificate manager for rate-limit safety and consolidated SANs

2026-02-05 20:43:44 +01:00 · 2026-02-05 20:43:44 +01:00 · 6d2dde9a60
commit 6d2dde9a60
parent f793ddd02f
1 changed files with 14 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -47,18 +47,27 @@ Clean up every trace of a service in one command:
 infra decommission --domain project.loopaware.com --mac <MAC> --vmid 12345 --node la-vmh-12 --port-name project_udp
 ```

-### Certificate Management
+### 4. Certificates (Let's Encrypt)
+The infrastructure uses a consolidated SAN (Subject Alternative Name) strategy to optimize Let's Encrypt rate limits.
+
+- **`loopaware.com.pem`**: Wildcard cert for all public services.
+- **`la-infra-san.pem`**: Consolidated SAN cert for all internal `*.fe.loopaware.com` hosts.
+
+The system automatically discovers new internal hosts and adds them to the SAN certificate nightly at 3:00 AM.
+
 ```bash
-# List all active certificates
+# List all active certificates in shared storage
 infra cert list

-# Check main certificate expiry
+# Check expiry date of the main wildcard cert
 infra cert status

-# Trigger dynamic SAN discovery and renewal
-infra cert renew --force
+# Manually trigger discovery and renewal (Rate-limit safe)
+infra cert renew
 ```

+### 5. Cloudflare DDNS
+
 ## Safety & Validation
 - **Template Resolution:** The `debian-13` alias automatically finds the latest template on the target Proxmox node.
 - **Input Validation:** All IPs, MACs, and Ports are validated before execution.