# Lets Encrypt

[Let's Encrypt](https://letsencrypt.org/) is an [ISRG](https://en.wikipedia.org/wiki/Internet_Security_Research_Group) project to provide free TLS certificates in an automated fashion.

Let's Encrypt distributes a script for automating the CSR creation, domain validation, and certification acquisition process for acquiring TLS certificates. This script, `certbot` can be run from systems intended to be secured and automate the installation into common HTTP servers; or work in more passive modes simply for certificate acquisition.

## Using Let's Encrypt at WIT

Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it. It also means that verification will take place using certbot's standalone web server (proxied via HAProxy).

### Adding Domains to the *.services.wit.com Cert

Assumptions:
- HAProxy's config still uses the certificate located in `/etc/haproxy/certs/git.services.wit.com.pem`
- HAProxy is still configured to pass 80/tcp traffic matching `path_beg /.well-known/acme-challenge/` to the `letsencrypt-backend`
- Traffic for the new domain will be terminated by HAProxy on roberto.wit.com

To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process:

1. Acquire the current list of domains the certificate is responsible for:
```
openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \
    | grep DNS: \
    | sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g'
```

(this command spits out a list delimeted by ` -d` as these will be passed as arguments to `certbot`

2. Visually inspect the list to ensure the list looks correct. (Consider comparing to the certificate for an existing *.services.wit.com)

3. Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **entire list of domains the cert should be valid for**

```
certbot certonly \
	--standalone \
	--cert-name git.services.wit.com \
    <DOMAINS FROM STEP 1>
    <NEW DOMAINS TO BE ADDED>
	--agree-tos \
	--email afrank@wit.com \
	--http-01-port=54321 \
	--preferred-challenges http
```

    At this point you should see certbot making a number of challenges (doing domain ownership verification), and then a "**Congratulations!**" message telling you the certs have been updated.


4. Backup the current certificate:
```
cp /etc/haproxy/certs/git.services.wit.com{,.bak.$(date +%s)}
```

5. Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration:

```
cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \
    /etc/letsencrypt/live/git.services.wit.com/privkey.pem \
    > /etc/haproxy/certs/git.services.wit.com.pem`
```

6. Reload HAproxy
```
service haproxy reload
```

7. Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections.