3.1 KiB
Lets Encrypt
Let's Encrypt is an ISRG project to provide free TLS certificates in an automated fashion.
Let's Encrypt distributes a script for automating the CSR creation, domain validation, and certification acquisition process for acquiring TLS certificates. This script, certbot can be run from systems intended to be secured and automate the installation into common HTTP servers; or work in more passive modes simply for certificate acquisition.
Using Let's Encrypt at WIT
Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The certbot script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses certbot in certonly and standalone mode; this means that we're only using certbot to acquire the certificate, not install it. It also means that verification will take place using certbot's standalone web server (proxied via HAProxy).
Adding Domains to the *.services.wit.com Cert
Assumptions:
- HAProxy's config still uses the certificate located in
/etc/haproxy/certs/git.services.wit.com.pem - HAProxy is still configured to pass 80/tcp traffic matching
path_beg /.well-known/acme-challenge/to theletsencrypt-backend - Traffic for the new domain will be terminated by HAProxy on roberto.wit.com
Note: Run the following as root on roberto.
To update the certificate modify the list of domain arguments (-d foo.com) below and use the following process:
- Acquire the list of domains the current certificate is responsible for formatted as arguments to
certbot:
openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \
| grep DNS: \
| sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g'
-
Visually inspect the list for correctness. Ensure that the original certs common name is covered.
-
Run certbot, naming the git.services.wit.com cert as the one to be updated, and providing the full list of domains the cert covers
certbot certonly \
--standalone \
--cert-name git.services.wit.com \
<DOMAINS FROM STEP 1>
<NEW DOMAINS TO BE ADDED>
--agree-tos \
--email afrank@wit.com \
--http-01-port=54321 \
--preferred-challenges http
At this point you should see certbot making a number of challenges (domain ownership verifications), and then a "Congratulations!" message telling you the certs have been updated.
- Backup the current certificate:
cp /etc/haproxy/certs/git.services.wit.com.pem{,.bak.$(date +%s)}
- Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration:
cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \
/etc/letsencrypt/live/git.services.wit.com/privkey.pem \
> /etc/haproxy/certs/git.services.wit.com.pem
- Reload HAproxy
service haproxy reload
- Test both that your new service is accepting SSL connections, as well as existing services remain accepting SSL connections.