From 9f25fb6cb1cf4ac487f80e416120a315fc28eb5a Mon Sep 17 00:00:00 2001 From: Tim Sogard Date: Wed, 9 May 2018 18:04:56 -0400 Subject: [PATCH 1/5] Doc for using letsencrypt --- letsencrypt/README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 letsencrypt/README.md diff --git a/letsencrypt/README.md b/letsencrypt/README.md new file mode 100644 index 0000000..23a6999 --- /dev/null +++ b/letsencrypt/README.md @@ -0,0 +1,40 @@ +# Lets Encrypt + +[Let's Encrypt](https://letsencrypt.org/) is an [ISRG](https://en.wikipedia.org/wiki/Internet_Security_Research_Group) project to provide free TLS certificates in an automated fashion. + +Let's Encrypt distributes a script for automating the CSR creation, domain validation, and certification acquisition process for acquiring TLS certificates. This script, `certbot` can be run from systems intended to be secured and automate the installation into common HTTP servers; or work in more passive modes simply for certificate acquisition. + +## Using Let's Encrypt at WIT + +Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it and also means that verification will take place using certbot's standalone web server (proxied via HAProxy). + +### Adding Domains to the *.services.wit.com Cert + +Assumptions: +- HAProxy's config still uses the certificate located in `/etc/haproxy/certs/git.services.wit.com.pem` +- HAProxy is still configured to pass traffic coming into tcp/80 to the `letsencrypt-backend` when it matches `path_beg /.well-known/acme-challenge/` +- Traffic for the new domain will be terminated by HAProxy on roberto.wit.com +- Certificate expiry warnings should still be mailed to `adam@wit.com` (see the `--email` flag in the `certbot` command) + +1. Acquire the current list of domains the certificate is responsible for: + `openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text | grep DNS: | sed -e 's/DNS:/ -d /g' -e 's/, //g'` +(this command spits out a list delimeted by ` -d` as these will be passed as arguments to `certbot` + +2. Visually inspect the list to ensure the list looks correct. (Consider comparing to the certificate for an existing *.services.wit.com) + +3. Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **entire list of domains the cert should be valid for** + + `certbot certonly --standalone --cert-name git.services.wit.com -d git.services.wit.com -d chat.services.wit.com -d dashboard.services.wit.com -d git.wit.com -d k8s-dashboard-afrank.services.wit.com -d mirrors.services.wit.com -d mirrors.wit.com -d owncloud.services.wit.com -d registry.services.wit.com -d wordpress.services.wit.com -d wekan.services.wit.com --agree-tos --email afrank@wit.com --http-01-port=54321 --preferred-challenges http` + +At this point you should see certbot making a number of challenges (doing domain ownership verification), and then a "**Congratulations!**" message telling you the certs have been updated. + + +4. Backup the current certificate: `cp /etc/haproxy/certs/git.services.wit.com{,.bak$(date +%s)}` + +5. Combine the certificate chain and the private key. HAProxy requires a full chain+key for its SSL configuration: + +`cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem /etc/letsencrypt/live/git.services.wit.com/privkey.pem > /etc/haproxy/certs/git.services.wit.com.pem` + +6. Reload HAproxy `service haproxy reload` + +7. Test. Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections. From dac363d087ed3e95e1ddad085fc3f19d38d57035 Mon Sep 17 00:00:00 2001 From: Tim Sogard Date: Wed, 9 May 2018 22:21:30 -0400 Subject: [PATCH 2/5] Formatting --- letsencrypt/README.md | 48 +++++++++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/letsencrypt/README.md b/letsencrypt/README.md index 23a6999..a9333b5 100644 --- a/letsencrypt/README.md +++ b/letsencrypt/README.md @@ -6,35 +6,61 @@ Let's Encrypt distributes a script for automating the CSR creation, domain valid ## Using Let's Encrypt at WIT -Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it and also means that verification will take place using certbot's standalone web server (proxied via HAProxy). +Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it. It also means that verification will take place using certbot's standalone web server (proxied via HAProxy). ### Adding Domains to the *.services.wit.com Cert Assumptions: - HAProxy's config still uses the certificate located in `/etc/haproxy/certs/git.services.wit.com.pem` -- HAProxy is still configured to pass traffic coming into tcp/80 to the `letsencrypt-backend` when it matches `path_beg /.well-known/acme-challenge/` +- HAProxy is still configured to pass 80/tcp traffic matching `path_beg /.well-known/acme-challenge/` to the `letsencrypt-backend` - Traffic for the new domain will be terminated by HAProxy on roberto.wit.com -- Certificate expiry warnings should still be mailed to `adam@wit.com` (see the `--email` flag in the `certbot` command) + +To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process: 1. Acquire the current list of domains the certificate is responsible for: - `openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text | grep DNS: | sed -e 's/DNS:/ -d /g' -e 's/, //g'` +``` +openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \ + | grep DNS: \ + | sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g' +``` + (this command spits out a list delimeted by ` -d` as these will be passed as arguments to `certbot` 2. Visually inspect the list to ensure the list looks correct. (Consider comparing to the certificate for an existing *.services.wit.com) 3. Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **entire list of domains the cert should be valid for** - `certbot certonly --standalone --cert-name git.services.wit.com -d git.services.wit.com -d chat.services.wit.com -d dashboard.services.wit.com -d git.wit.com -d k8s-dashboard-afrank.services.wit.com -d mirrors.services.wit.com -d mirrors.wit.com -d owncloud.services.wit.com -d registry.services.wit.com -d wordpress.services.wit.com -d wekan.services.wit.com --agree-tos --email afrank@wit.com --http-01-port=54321 --preferred-challenges http` +``` +certbot certonly \ + --standalone \ + --cert-name git.services.wit.com \ + + + --agree-tos \ + --email afrank@wit.com \ + --http-01-port=54321 \ + --preferred-challenges http +``` -At this point you should see certbot making a number of challenges (doing domain ownership verification), and then a "**Congratulations!**" message telling you the certs have been updated. + At this point you should see certbot making a number of challenges (doing domain ownership verification), and then a "**Congratulations!**" message telling you the certs have been updated. -4. Backup the current certificate: `cp /etc/haproxy/certs/git.services.wit.com{,.bak$(date +%s)}` +4. Backup the current certificate: +``` +cp /etc/haproxy/certs/git.services.wit.com{,.bak.$(date +%s)} +``` -5. Combine the certificate chain and the private key. HAProxy requires a full chain+key for its SSL configuration: +5. Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration: -`cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem /etc/letsencrypt/live/git.services.wit.com/privkey.pem > /etc/haproxy/certs/git.services.wit.com.pem` +``` +cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \ + /etc/letsencrypt/live/git.services.wit.com/privkey.pem \ + > /etc/haproxy/certs/git.services.wit.com.pem` +``` -6. Reload HAproxy `service haproxy reload` +6. Reload HAproxy +``` +service haproxy reload +``` -7. Test. Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections. +7. Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections. From 8531f1aebd5b7ba2c75f1f2294a0cd03d9d05576 Mon Sep 17 00:00:00 2001 From: Tim Sogard Date: Wed, 9 May 2018 22:28:09 -0400 Subject: [PATCH 3/5] Formatting --- letsencrypt/README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/letsencrypt/README.md b/letsencrypt/README.md index a9333b5..40c55ad 100644 --- a/letsencrypt/README.md +++ b/letsencrypt/README.md @@ -17,18 +17,16 @@ Assumptions: To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process: -1. Acquire the current list of domains the certificate is responsible for: +1. Acquire the list of domains the **current certificate** is responsible for formatted as arguments to `certbot`: ``` openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \ | grep DNS: \ | sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g' ``` -(this command spits out a list delimeted by ` -d` as these will be passed as arguments to `certbot` +2. Visually inspect the list to ensure the list looks correct. Ensure that the original certs common name is covered. -2. Visually inspect the list to ensure the list looks correct. (Consider comparing to the certificate for an existing *.services.wit.com) - -3. Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **entire list of domains the cert should be valid for** +3. Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **full list of domains the cert covers** ``` certbot certonly \ @@ -42,7 +40,7 @@ certbot certonly \ --preferred-challenges http ``` - At this point you should see certbot making a number of challenges (doing domain ownership verification), and then a "**Congratulations!**" message telling you the certs have been updated. +At this point you should see certbot making a number of challenges (domain ownership verifications), and then a "**Congratulations!**" message telling you the certs have been updated. 4. Backup the current certificate: From 88adb9e381b3c7de7633828bfa1574bdc352d4fc Mon Sep 17 00:00:00 2001 From: Tim Sogard Date: Wed, 9 May 2018 22:29:41 -0400 Subject: [PATCH 4/5] Fix numbering for Gogs vs Github flavored markdown --- letsencrypt/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/letsencrypt/README.md b/letsencrypt/README.md index 40c55ad..5af69dd 100644 --- a/letsencrypt/README.md +++ b/letsencrypt/README.md @@ -17,16 +17,16 @@ Assumptions: To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process: -1. Acquire the list of domains the **current certificate** is responsible for formatted as arguments to `certbot`: +1) Acquire the list of domains the **current certificate** is responsible for formatted as arguments to `certbot`: ``` openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \ | grep DNS: \ | sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g' ``` -2. Visually inspect the list to ensure the list looks correct. Ensure that the original certs common name is covered. +2) Visually inspect the list to ensure the list looks correct. Ensure that the original certs common name is covered. -3. Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **full list of domains the cert covers** +3) Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **full list of domains the cert covers** ``` certbot certonly \ @@ -43,12 +43,12 @@ certbot certonly \ At this point you should see certbot making a number of challenges (domain ownership verifications), and then a "**Congratulations!**" message telling you the certs have been updated. -4. Backup the current certificate: +4) Backup the current certificate: ``` cp /etc/haproxy/certs/git.services.wit.com{,.bak.$(date +%s)} ``` -5. Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration: +5) Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration: ``` cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \ @@ -56,9 +56,9 @@ cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \ > /etc/haproxy/certs/git.services.wit.com.pem` ``` -6. Reload HAproxy +6) Reload HAproxy ``` service haproxy reload ``` -7. Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections. +7) Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections. From 3dedd28b5d3143b0ed5ea551a459f466547c990a Mon Sep 17 00:00:00 2001 From: Tim Sogard Date: Wed, 9 May 2018 22:31:26 -0400 Subject: [PATCH 5/5] Too many words --- letsencrypt/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/README.md b/letsencrypt/README.md index 5af69dd..c868499 100644 --- a/letsencrypt/README.md +++ b/letsencrypt/README.md @@ -24,7 +24,7 @@ openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \ | sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g' ``` -2) Visually inspect the list to ensure the list looks correct. Ensure that the original certs common name is covered. +2) Visually inspect the list for correctness. Ensure that the original certs common name is covered. 3) Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **full list of domains the cert covers**