jcarr
/
wit-letsencrypt
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
wit-letsencrypt/letsencrypt/README.md

67 lines
3.1 KiB
Markdown
Raw Permalink Blame History

# Lets Encrypt
[Let's Encrypt](https://letsencrypt.org/) is an [ISRG](https://en.wikipedia.org/wiki/Internet_Security_Research_Group) project to provide free TLS certificates in an automated fashion.
Let's Encrypt distributes a script for automating the CSR creation, domain validation, and certification acquisition process for acquiring TLS certificates. This script, `certbot` can be run from systems intended to be secured and automate the installation into common HTTP servers; or work in more passive modes simply for certificate acquisition.
## Using Let's Encrypt at WIT
Currently all SSL/TLS traffic to WIT services is terminated on roberto.wit.com via HAProxy. The `certbot` script is present on roberto and can be used in the following manner to acquire additional certificates, or to upgrade the existing *.services.wit.com certificate to include more domains. WIT uses `certbot` in `certonly` and `standalone` mode; this means that we're only using `certbot` to acquire the certificate, not install it. It also means that verification will take place using certbot's standalone web server (proxied via HAProxy).
### Adding Domains to the *.services.wit.com Cert
Assumptions:
- HAProxy's config still uses the certificate located in `/etc/haproxy/certs/git.services.wit.com.pem`
- HAProxy is still configured to pass 80/tcp traffic matching `path_beg /.well-known/acme-challenge/` to the `letsencrypt-backend`
- Traffic for the new domain will be terminated by HAProxy on roberto.wit.com
**Note:** Run the following as `root` on roberto.
To update the certificate modify the list of domain arguments (`-d foo.com`) below and use the following process:
1) Acquire the list of domains the **current certificate** is responsible for formatted as arguments to `certbot`:
```
openssl x509 -in /etc/haproxy/certs/git.services.wit.com.pem -noout -text \
| grep DNS: \
| sed -e 's/^\s*//' -e 's/DNS:/ -d /g' -e 's/, / \\\n/g'
```
2) Visually inspect the list for correctness. Ensure that the original certs common name is covered.
3) Run certbot, naming the **git.services.wit.com** cert as the one to be updated, and providing the **full list of domains the cert covers**
```
certbot certonly \
--standalone \
--cert-name git.services.wit.com \
<DOMAINS FROM STEP 1>
<NEW DOMAINS TO BE ADDED>
--agree-tos \
--email afrank@wit.com \
--http-01-port=54321 \
--preferred-challenges http
```
At this point you should see certbot making a number of challenges (domain ownership verifications), and then a "**Congratulations!**" message telling you the certs have been updated.
4) Backup the current certificate:
```
cp /etc/haproxy/certs/git.services.wit.com.pem{,.bak.$(date +%s)}
```
5) Combine the certificate chain and the private key. HAProxy requires a full certificate chain+key for its SSL configuration:
```
cat /etc/letsencrypt/live/git.services.wit.com/fullchain.pem \
/etc/letsencrypt/live/git.services.wit.com/privkey.pem \
> /etc/haproxy/certs/git.services.wit.com.pem
```
6) Reload HAproxy
```
service haproxy reload
```
7) Test both that your new service is accepting SSL connections, as well as existing services **remain** accepting SSL connections.
Reference in New Issue View Git Blame Copy Permalink