wit-letsencrypt/letsencrypt/README.md

# Lets Encrypt

[Let's Encrypt](https://letsencrypt.org/) is an [ISRG](https://en.wikipedia.org/wiki/Internet_Security_Research_Group) project to provide free TLS certificates in an automated fashion.

Let's Encrypt distributes a script for automating the CSR creation, domain validation, and certification acquisition process for acquiring TLS certificates. This script, `certbot` can be run from systems intended to be secured and automate the installation into common HTTP servers; or work in more passive modes simply for certificate acquisition.

## Using Let's Encrypt at WIT

Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it. It also means that verification will take place using certbot's standalone web server (proxied via HAProxy).

### Adding Domains to the *.services.wit.com Cert

Assumptions:
- HAProxy's config still uses the certificate located in `/etc/haproxy/certs/git.services.wit.com.pem`
- HAProxy is still configured to pass 80/tcp traffic matching `path_beg /.well-known/acme-challenge/` to the `letsencrypt-backend`
- Traffic for the new domain will be terminated by HAProxy on roberto.wit.com

To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process:

1. Acquire the current list of domains the certificate is responsible for:
```
openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \
    | grep DNS: \
    | sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g'
```

(this command spits out a list delimeted by ` -d` as these will be passed as arguments to `certbot`

2. Visually inspect the list to ensure the list looks correct. (Consider comparing to the certificate for an existing *.services.wit.com)

3. Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **entire list of domains the cert should be valid for**

```
certbot certonly \
	--standalone \
	--cert-name git.services.wit.com \
    <DOMAINS FROM STEP 1>
    <NEW DOMAINS TO BE ADDED>
	--agree-tos \
	--email afrank@wit.com \
	--http-01-port=54321 \
	--preferred-challenges http
```

    At this point you should see certbot making a number of challenges (doing domain ownership verification), and then a "**Congratulations!**" message telling you the certs have been updated.


4. Backup the current certificate:
```
cp /etc/haproxy/certs/git.services.wit.com{,.bak.$(date +%s)}
```

5. Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration:

```
cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \
    /etc/letsencrypt/live/git.services.wit.com/privkey.pem \
    > /etc/haproxy/certs/git.services.wit.com.pem`
```

6. Reload HAproxy
```
service haproxy reload
```

7. Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections.
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00			`# Lets Encrypt`

			`[Let's Encrypt](https://letsencrypt.org/) is an [ISRG](https://en.wikipedia.org/wiki/Internet_Security_Research_Group) project to provide free TLS certificates in an automated fashion.`

			Let's Encrypt distributes a script for automating the CSR creation, domain validation, and certification acquisition process for acquiring TLS certificates. This script, `certbot` can be run from systems intended to be secured and automate the installation into common HTTP servers; or work in more passive modes simply for certificate acquisition.

			`## Using Let's Encrypt at WIT`

Formatting 2018-05-09 21:21:30 -05:00			Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it. It also means that verification will take place using certbot's standalone web server (proxied via HAProxy).
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00
			`### Adding Domains to the *.services.wit.com Cert`

			`Assumptions:`
			- HAProxy's config still uses the certificate located in `/etc/haproxy/certs/git.services.wit.com.pem`
Formatting 2018-05-09 21:21:30 -05:00			- HAProxy is still configured to pass 80/tcp traffic matching `path_beg /.well-known/acme-challenge/` to the `letsencrypt-backend`
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00			`- Traffic for the new domain will be terminated by HAProxy on roberto.wit.com`
Formatting 2018-05-09 21:21:30 -05:00
			To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process:
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00
			`1. Acquire the current list of domains the certificate is responsible for:`
Formatting 2018-05-09 21:21:30 -05:00			```
			`openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \`
			`\| grep DNS: \`
			`\| sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g'`
			```

Doc for using letsencrypt 2018-05-09 17:04:56 -05:00			(this command spits out a list delimeted by ` -d` as these will be passed as arguments to `certbot`

			`2. Visually inspect the list to ensure the list looks correct. (Consider comparing to the certificate for an existing *.services.wit.com)`

			`3. Run certbot, naming the git.services.wit.com cert as the one to be updated, and providing the entire list of domains the cert should be valid for`

Formatting 2018-05-09 21:21:30 -05:00			```
			`certbot certonly \`
			`--standalone \`
			`--cert-name git.services.wit.com \`
			`<DOMAINS FROM STEP 1>`
			`<NEW DOMAINS TO BE ADDED>`
			`--agree-tos \`
			`--email afrank@wit.com \`
			`--http-01-port=54321 \`
			`--preferred-challenges http`
			```
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00
Formatting 2018-05-09 21:21:30 -05:00			`At this point you should see certbot making a number of challenges (doing domain ownership verification), and then a "Congratulations!" message telling you the certs have been updated.`
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00

Formatting 2018-05-09 21:21:30 -05:00			`4. Backup the current certificate:`
			```
			`cp /etc/haproxy/certs/git.services.wit.com{,.bak.$(date +%s)}`
			```
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00
Formatting 2018-05-09 21:21:30 -05:00			`5. Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration:`
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00
Formatting 2018-05-09 21:21:30 -05:00			```
			`cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \`
			`/etc/letsencrypt/live/git.services.wit.com/privkey.pem \`
			> /etc/haproxy/certs/git.services.wit.com.pem`
			```
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00
Formatting 2018-05-09 21:21:30 -05:00			`6. Reload HAproxy`
			```
			`service haproxy reload`
			```
Doc for using letsencrypt 2018-05-09 17:04:56 -05:00
Formatting 2018-05-09 21:21:30 -05:00			`7. Test both that your new service is accepting SSL connections, as well as existing services remain accepting SSL connections.`