Homepage 5 Oznaka: Oracle
Automating Multi-Domain Let's Encrypt Certificates on Oracle OCI (Without DNS Challenges!)

Automating Multi-Domain Let's Encrypt Certificates on Oracle OCI (Without DNS Challenges!)

by | 6 ožujka, 2026 | Techblog

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

A while back, I published a blog post over at my Broadpin blog on how to integrate Let's Encrypt free SSL certificates with the Oracle Cloud Infrastructure (OCI) Load Balancer.

That approach works great, but in real-world project scenarios, we often hit a specific roadblock: What happens when you need multi-domain (SAN) certificates, but you don't have the access or ability to use a DNS Challenge?

If you can't touch the DNS records, you have to pivot. Here is a slightly modified, highly automated approach using the HTTP-01 challenge, OCI Object Storage, and dynamic Security Lists. The script allows to do a validation of multiple domain names for one certificate. The old scripts didn't work here.

The Core Differences: Old vs. New Approach

  • Validation Method: Instead of relying on DNS records (DNS-01), we are using the HTTP-01 challenge.
  • Token Hosting: We route Let's Encrypt's validation requests directly through the OCI Load Balancer to a public OCI Object Storage Bucket (acting as our webroot), rather than a compute instance web server. Routing everything under /.well-known allows to have multiple challenges available. Furthermore, this approach is faster since it doesn't require load balancer changes
  • Dynamic Security: To keep things tight, we use an empty OCI Security List. The Certbot script uses the OCI CLI to dynamically open Port 80 only during the validation process, and immediately closes it afterward. This allows having restricted access otherwise or especially don't having to open port 80 at all normally.
  • Zero-Touch Deployment: The deployment hook pushes the renewed certificate directly into OCI Certificates Management using the OCI CLI, keeping the Load Balancer updated automatically.

The Architecture at a Glance

If you want to replicate this, here is the high-level setup:

1. OCI Infrastructure Prep

  • Create a public Object Storage bucket named acme in your root compartment (set a lifecycle rule to delete objects after 2 days).


Public Bucket


Policy to clean up old challenges

  • On your Load Balancer, create a routing rule (ACME) that forwards anything starting with /.well-known/acme-challenge/ to your new bucket.


Rule to forward to object storage

  • If you're typically not leveraging HTTP, set up a listener on Port 80 using this rule, pointing to a "None" backend set.
  • Create an empty Security List (letsencrypt_temp_allowed_only) and assign it to your public Load Balancer subnet.

2. The Certbot Automation Machine

On a management instance, set up a Python virtual environment with Certbot installed. You will need to write three custom bash scripts to act as Certbot hooks:

  • oci-authenticator.sh: Grabs the $CERTBOT_TOKEN, uses the OCI CLI to temporarily open Port 80 on your Security List, and uploads the token to your acme bucket.
  • oci-closefirewall.sh: The cleanup hook. It instantly wipes the ingress rules on the Security List, locking Port 80 back down.
  • oci-deploy.sh: Takes the newly generated $RENEWED_LINEAGE files and uses oci certs-mgmt certificate update-certificate-by-importing-config-details to push the new cert directly into OCI. This script should be able to handle multiple domains in RENEWED_DOMAINS. I did this as follows:
FIRST_DOMAIN="${RENEWED_DOMAINS%% *}"
OCI_CERT_OCID=$(oci certs-mgmt certificate list --all --compartment-id $COMPARTMENT_ID --query "data.items[?subject.\"common-name\"=='${FIRST_DOMAIN}'&& \"lifecycle-state\"=='ACTIVE'].id|join(',',@)"| tr -d '\""')
CERT_PATH=$(cat $RENEWED_LINEAGE/cert.pem)
CERT_CHAIN=$(cat $RENEWED_LINEAGE/chain.pem)
CERT_KEY=$(cat $RENEWED_LINEAGE/privkey.pem)
oci certs-mgmt certificate update-certificate-by-importing-config-details --certificate-id=$OCI_CERT_OCID --cert-chain-pem="$CERT_CHAIN" --certificate-pem="$CERT_PATH" --private-key-pem="$CERT_KEY"

Wrap it all in an autorenew.sh script, stick it in your crontab, and you have a fully automated, multi-domain SSL renewal system that completely bypasses the need for DNS administration!

May 18–20, 2026 | APEX connect 2026, Soltau

May 18–20, 2026 | APEX connect 2026, Soltau

by | 2 ožujka, 2026 | Events

Broadpin @ APEX connect 2026

Join us at APEX connect 2026, the premier conference for PL/SQL and JavaScript.

Visit our experts at the booth and explore hands-on APEX use cases, modern DevOps strategies, and innovative digitalization projects. Enjoy insightful sessions, personal networking, and fresh ideas around Oracle APEX.

Kontaktirajte nas
APEX connect 2026

From May 18–20, 2026, our team will be attending APEX connect 2026 in Soltau. The conference is the leading event for Oracle APEX professionals in the German-speaking region, bringing together developers, architects, and IT decision-makers.

Take the opportunity to talk to our experts about modern APEX architectures, DevOps processes, cloud solutions, and proven best practices.

Our expert session at APEX connect 2026:

  • Digitalizing Waste Management: Self-Service, Chatbots & AI at Interzero
    Speakers: Nicole Cochems, ERP Application Development @ Interzero & Johannes Michler, CTO @ Broadpin
    Date & Room: Wednesday, May 20, 2026 | 12:00 – 12:45 PM | Room: Schatzinsel

Attend our session and meet us afterwards at our booth! For more information about APEX Connect 2026 click here.

Running in parallel with APEX Connect is the DOAG 2026 Database with Cloud Infrastructure, where we will also have expert sessions.

Learn more about the DOAG 2026 Database with Cloud Infrastructure event here.

June 18–19, 2026 | DOAG 2026 Database with Cloud Infrastructure

by | 26 veljače, 2026 | Events

Broadpin @ DOAG 2026 Database with Cloud Infrastructure

Meet Broadpin at the DOAG 2026 Database with Cloud Infrastructure Conference and explore state-of-the-art solutions around Oracle Database 26 / 26ai, Cloud Infrastructure, security, monitoring, and AI. Look forward to hands-on technical sessions, innovative technologies, and in-depth conversations with our experts.

Kontaktirajte nas
2026 Database with Cloud Infrastructure

From May 18–19, 2026, our team will be attending the DOAG 2026 Database with Cloud Infrastructure Conference in Soltau: the premier event for database professionals, cloud architects, and IT decision-makers.

The conference focuses on the latest developments in Oracle Database 26 / 26ai, OCI, security, performance optimization, monitoring, and AI-driven data architectures, providing deep technical insights and real-world best practices.

Join our expert sessions:

  • Session 1: OCI Security: Prevention, Backup, and Recovery for Complex Cloud Applications
    Speakers: Johannes Michler, CTO @ Broadpin & Nicole Cochems, ERP Application Development @ Interzero
    Date & Room: Monday, May 18, 2026 | 11:00 – 11:45 AM | Room: Bonair

  • Session 2: From Data to Intelligence: AI-Ready Data Models with Oracle Database 26ai
    Speakers: Stephan La Rocca, Director of Business Development @ Broadpin & Markus Kißling, Product Manager for Database In-Memory @ Oracle Deutschland
    Date & Room: Monday, May 18, 2026 | 2:00 – 2:45 PM | Room: Aruba32

  • Session 3: OCI Monitoring in the Waste Management Industry – A Real-World Case Study
    Speakers: Johannes Michler, CTO @ Broadpin & Nicole Cochems, ERP Application Development @ Interzero
    Date & Room: Tuesday, May 19, 2026 | 4:00 – 4:45 PM | Room: Bonair

Take this opportunity to gain deep technical insights into modern database architectures and Oracle Cloud Infrastructure.

Interested in a one-on-one conversation? Stop by our booth at APEX Connect 2026 - we’d love to connect.

For more information about the DOAG 2026 Database & Cloud Infrastructure Conference, visit the official event website here.

Bulletproof EBS on OCI (Episode 4/4)

Bulletproof EBS on OCI (Episode 4/4)

by | 2 veljače, 2026 | Techblog

Johannes Michler PROMATIS Horus Oracle


Executive Vice President – Head of Platforms & Development

Extending the Fortress: Hybrid Immutability & Automated DR

In the finale of our series on securing E-Business Suite, we are stepping out of the pure OCI bubble. Many of our customers operate in a Hybrid reality - keeping their primary EBS instance on-premise while looking to the cloud for Disaster Recovery (DR) and (ransomware) protection.

In Episode 4, we explore how to extend the "Broadpin Fortress" to your on-premise data center and how to evolve from manual recovery to fully automated Full Stack DR.

Part 1: Immutable Backups for On-Premise EBS

Just because your database sits in your own data center doesn't mean you can't leverage OCI's immutable vault. There are two primary architectural paths to send backups to OCI, both capable of utilizing Retention Locked policies.

Option A: The "Premium" Path (Autonomous Recovery Service)

You can connect your on-premise database directly to the OCI Autonomous Recovery Service (ARS).

  • The Pros: This brings the "Cloud Native" advantages to on-premise: Real-time data protection (Zero Data Loss) and Incremental Forever backup strategies.
  • The Requirements: This route requires a robust Site-to-Site VPN or FastConnect (no public internet). It is strictly limited to Linux x86 infrastructure and requires a recent 19c patch set.

Option B: The "Universal" Path (Database Backup Cloud Service)

For environments where ARS isn't a fit (e.g., non-Linux OS or no VPN), we utilize the Database Cloud Backup Module.

  • The Pros: Flexible and runs over the secure public internet (HTTPS). Even allows for encrypted and compressed backups without buying the corresponding database options.
  • The Cons: You lose the "Real-time" redo transport (potential data loss between backup intervals) and must manage standard Full/Incremental backup cycles.

The Critical "Gotcha": The Wallet

Whether you use Option A or B, there is one single point of failure that renders an immutable backup useless: The Encryption Wallet (TDE). If you lose your on-premise data center to ransomware and haven't backed up the local TDE wallet to a separate, secure location (or Vault), your immutable backups in OCI are cryptographically locked forever. Always backup the wallet separately.

Part 2: The Restore Strategy (Hybrid & Cloud)

When disaster strikes on-premise, you have two recovery destinations.

1. Restoring On-Premise This is the traditional path.

  1. Re-install the OS and Database Software (including the Oracle Home).
  2. Connect to OCI (via ARS or Backup Module).
  3. Perform the RMAN RESTORE and RECOVER.

2. Restoring to OCI (The "Cloud Lifeboat") A popular strategy is to use these backups to restore into OCI, effectively migrating during a disaster. You can target a Base Database Service instance.

  • Note: This is currently a manual setup. You must instantiate the Base DB Service first, then overwrite it with the backup from the on-premise source.

Part 3: Automating the Chaos (Full Stack DR)

In Episodes 2 and 3, we detailed the manual steps to restore EBS. While effective, manual recovery during a crisis is high-stress. How do we automate this?

1. OCI Full Stack Disaster Recovery (FSDR)

For the ultimate peace of mind, we implement OCI Full Stack Disaster Recovery.

  • Data Guard Scenario: In a standard MAA architecture, FSDR orchestrates the failover, handling the database role switch, DNS updates, and application tier restarts automatically (Refer to the MAA for EBS on OCI Whitepaper).
  • Backup/Restore Scenario: Even if you are running on Compute (as discussed in Ep 3), you can script FSDR to trigger the restoration of Block Volumes and RMAN recovery scripts, transforming a 20-page runbook into a single "Execute" button.

2. Data Guard and EBS Cloud Manager

For those looking into an even more robust and quick DR scenarios (when it comes to both RPO and RTO), EBS Cloud Manager has a powerful option. As described in https://docs.oracle.com/cd/E26401_01/doc.122/f35809/T679330T2010880.htm you can setup a DR environment (even in a separate region) with the click of a few buttons and then leverage Cloud Manager capabilities to do the switchover/cutover in case of a disaster.

      Series Conclusion

      At Broadpin, we believe that "Hope is not a strategy." Whether you are running purely on OCI Base Database Service, customized Compute, or a Hybrid architecture, the tools exist to build a ransomware-proof, immutable defense.

      Is your ERP data truly secure? If you're unsure, let's talk with our Broadpin Teams around the globe.

      Automating Multi-Domain Let's Encrypt Certificates on Oracle OCI (Without DNS Challenges!)

      Bulletproof EBS on OCI (Episode 3/4)

      by | 28 siječnja, 2026 | Techblog

      Johannes Michler PROMATIS Horus Oracle


      Executive Vice President – Head of Platforms & Development

      The Compute Challenge: Achieving Immutability Without Base DB Service

      In the first and second Episode, we covered the gold standard for E-Business Suite on OCI: leveraging the powerful automation of the Base Database Service and Autonomous Recovery Service (ARS).
      But what if your architecture mandates running the EBS database on a standard Compute instance (IaaS)? This scenario, common for highly customized environments or specific licensing models, strips away the native DR automation, forcing a more hands-on approach to achieving our goal of immutable, ransomware-proof backups.
      At Broadpin, we tackle these bespoke architectures head-on. Here is how we extended our "Fortress Strategy" for an EBS database running on Compute.

      The Architecture & Trade-Offs

      When running the database on Compute, we lose two major features of ARS:

      1. Zero Data Loss: We must rely on standard RMAN archivelog backups, not continuous synchronization.
      2. Incremental Forever: Backup and restore operations will be more time-consuming due to the reliance on traditional incremental/full RMAN backups.

      Database Backup Strategy: OCI Cloud Backup Module

      Since ARS is unavailable, we use the Database Cloud Backup Module (libopc.so) to push RMAN backups directly to OCI Object Storage.
      1. RMAN Configuration (Full Backup):
      To establish the weekly immutable full backup, we configured RMAN to use the SBT (System Backup to Tape) library and specified the OCI configuration file (opcISDBackup.ora).

      SET ENCRYPTION ON IDENTIFIED BY XXXXX ONLY;
CONFIGURE DEFAULT DEVICE TYPE TO 'SBT_TAPE';
CONFIGURE DEVICE TYPE 'SBT_TAPE' PARALLELISM 6 BACKUP TYPE TO COMPRESSED BACKUPSET;
CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' PARMS='SBT_LIBRARY=/u01/install/APPS/19.0.0/lib/libopc.so, SBT_PARMS=(OPC_PFILE=/home/oracle/opcBackup.ora)';

run {
backup incremental level 0 cumulative database;
sql 'alter system switch logfile';
backup format '%d_%T_%U.bkp0Arch' archivelog all not backed up delete input;
}

      2. Achieving Database Immutability:
      To ensure these RMAN backups are undeletable, we must apply the same Retention Rule (e.g., a 35-day lock) to the target Object Storage bucket (PROD_APPS).
      Important: RMAN's Cloud Backup Module requires a separate, temporary bucket for staging data during the backup process. This is a crucial detail for configuration, as outlined in Oracle's documentation.

        Phase 1: Application Tier Backup

        The App Tier strategy remains similar to Episode 1, but we must now also capture the Oracle Home for the Database, as it reside on standard filesystems.
        We updated our weekly script to capture the DB Oracle Home (/u01/install/APPS/19.0.0) along with the application directories and OCI configuration files, piping the output directly to the locked Object Storage bucket.

        #!/bin/bash
HOST=$(hostname -s)
SID="MAST"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
ARCHIVE_NAME="bkp_full${SID}_${HOST}_${TIMESTAMP}.tgz"
tar -cz /u01/install/APPS/19.0.0 /u01/install/APPS/scripts /home/oracle/opcISDBackup.ora | oci os object put --bucket-name PROD_APPS --auth instance_principal --file - --name ${ARCHIVE_NAME}

        Phase 2: The Manual Restore Procedure

        The biggest change is in the recovery workflow. Since we're not leveraging the OCI console's "Restore Database," the process relies on manually recovering the filesystems and then using RMAN.

        1. Restore the Oracle Homes (The Filesystem)

        The first step is identical to Episode 2's App Tier restore: spin up the new Compute instance and use the oci os object get command to restore the tgz file containing the EBS filesystems, including the DB Oracle Home.

        2. RMAN Restore and Recovery

        With the Oracle Home and executables back in place, we can start the database in NOMOUNT mode, connect RMAN, and utilize the Cloud Backup Module to retrieve the database files from the locked Object Storage bucket.

        3. Final Configuration (Simplified)

        A major benefit of including the Oracle Homes in our initial filesystem backup is that the DB's appsutil directory is already restored.
        Once the database is recovered, the final step is to run AutoConfig on the DB Tier, which registers the instance's new location and allows connection from the restored Application Tier.
        A modern EBS environment isn't just Forms and Reports. We also reconfigured:

        • ORDS: Re-installed/configured to point to the new DB service for APEX support.
        • Enterprise Command Center (ECC): Created a new DBC file and updated some IP Addresses in the config files.

        Alternative Strategy: Boot Volume Backups

        While this post focuses on achieving immutable backups for ultimate ransomware protection, for non-critical environments or simpler DR needs, a simpler (but non-immutable) strategy exists: Boot Volume Backups.
        Standard boot volume backups of the DB and App compute instances are quick and easy to manage via OCI Policy-Based backup features. However, remember they lack the retention lock we sought for our immutable fortress.
        For a look at a simpler, non-immutable backup strategy for Compute-based EBS, you can reference this previous post: Backing Up E-Business Suite Instances on OCI

            Conclusion

            Whether you choose the automated approach of Base Database Service or the manual control of a Compute instance, achieving a high level of ransomware protection in OCI is achievable through strategic use of Object Storage Retention Rules. While the Compute route involves more hands-on configuration and incurs longer recovery times, it provides the same immutable guarantee.
            The Broadpin team specializes in navigating these architectural complexities to deliver robust, secure, and resilient EBS solutions in the cloud.