Merge branch 'tim/doc-letsencrypt' of wit/ops into master
This commit is contained in:
drags
Gogs
commit
c0ab598c25
|
|
@ -0,0 +1,64 @@
|
|||
# Lets Encrypt
|
||||
|
||||
[Let's Encrypt](https://letsencrypt.org/) is an [ISRG](https://en.wikipedia.org/wiki/Internet_Security_Research_Group) project to provide free TLS certificates in an automated fashion.
|
||||
|
||||
Let's Encrypt distributes a script for automating the CSR creation, domain validation, and certification acquisition process for acquiring TLS certificates. This script, `certbot` can be run from systems intended to be secured and automate the installation into common HTTP servers; or work in more passive modes simply for certificate acquisition.
|
||||
|
||||
## Using Let's Encrypt at WIT
|
||||
|
||||
Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it. It also means that verification will take place using certbot's standalone web server (proxied via HAProxy).
|
||||
|
||||
### Adding Domains to the *.services.wit.com Cert
|
||||
|
||||
Assumptions:
|
||||
- HAProxy's config still uses the certificate located in `/etc/haproxy/certs/git.services.wit.com.pem`
|
||||
- HAProxy is still configured to pass 80/tcp traffic matching `path_beg /.well-known/acme-challenge/` to the `letsencrypt-backend`
|
||||
- Traffic for the new domain will be terminated by HAProxy on roberto.wit.com
|
||||
|
||||
To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process:
|
||||
|
||||
1) Acquire the list of domains the **current certificate** is responsible for formatted as arguments to `certbot`:
|
||||
```
|
||||
openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \
|
||||
| grep DNS: \
|
||||
| sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g'
|
||||
```
|
||||
|
||||
2) Visually inspect the list for correctness. Ensure that the original certs common name is covered.
|
||||
|
||||
3) Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **full list of domains the cert covers**
|
||||
|
||||
```
|
||||
certbot certonly \
|
||||
--standalone \
|
||||
--cert-name git.services.wit.com \
|
||||
<DOMAINS FROM STEP 1>
|
||||
<NEW DOMAINS TO BE ADDED>
|
||||
--agree-tos \
|
||||
--email afrank@wit.com \
|
||||
--http-01-port=54321 \
|
||||
--preferred-challenges http
|
||||
```
|
||||
|
||||
At this point you should see certbot making a number of challenges (domain ownership verifications), and then a "**Congratulations!**" message telling you the certs have been updated.
|
||||
|
||||
|
||||
4) Backup the current certificate:
|
||||
```
|
||||
cp /etc/haproxy/certs/git.services.wit.com{,.bak.$(date +%s)}
|
||||
```
|
||||
|
||||
5) Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration:
|
||||
|
||||
```
|
||||
cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \
|
||||
/etc/letsencrypt/live/git.services.wit.com/privkey.pem \
|
||||
> /etc/haproxy/certs/git.services.wit.com.pem`
|
||||
```
|
||||
|
||||
6) Reload HAproxy
|
||||
```
|
||||
service haproxy reload
|
||||
```
|
||||
|
||||
7) Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections.
|
||||
Loading…
Reference in New Issue