https://agora.nasqueron.org/api.php?action=feedcontributions&feedformat=atom&user=DorianWintyNasqueron Agora - User contributions [en]2026-06-04T21:20:02ZUser contributionsMediaWiki 1.46.0-alphahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1929Operations grimoire/TLS certificates2025-05-20T19:38:56Z<p>DorianWinty: /* improved command */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem \<br />
--ca-file /var/certificates/exemple.nasqueron.org/chain.pem<br />
<br />
===== improved command =====<br />
<br />
sudo su acme<br />
<br />
export domain="exemple.nasqueron.org"<br />
<br />
mkdir /var/certificates/$domain<br />
<br />
acme.sh --install-cert -d $domain \<br />
--cert-file /var/certificates/$domain/cert.pem \<br />
--key-file /var/certificates/$domain/key.pem \<br />
--ca-file /var/certificates/$domain/chain.pem \<br />
--fullchain-file /var/certificates/$domain/fullchain.pem<br />
<br />
==== on nginx ====<br />
<br />
Le_ReloadCmd='sudo acmesh-nginxCheck'<br />
<br />
doit être mis dans le fichier de configuration pour le certificat ou ajouter la commande<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
=== Migration to acme.sh ===<br />
==== Paths to update ====<br />
<br />
Paths from /usr/local/etc/letsencrypt or /etc/letsencrypt (OS-dependant path) needs to be updated to /var/certificates (cross-platform path). The private key file is only `key.pem` instead of `privkey.pem`.<br />
<br />
An example is available on https://devcentral.nasqueron.org/D3624<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1928Operations grimoire/TLS certificates2025-05-20T19:38:09Z<p>DorianWinty: /* improved command */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem \<br />
--ca-file /var/certificates/exemple.nasqueron.org/chain.pem<br />
<br />
===== improved command =====<br />
<br />
sudo su acme<br />
<br />
export domain="exemple.nasqueron.org"<br />
<br />
mkdir /var/certificates/$domain<br />
<br />
acme.sh --install-cert -d $domain \<br />
--cert-file /var/certificates/$domain/cert.pem \<br />
--key-file /var/certificates/$domain/key.pem \<br />
--fullchain-file /var/certificates/$domain/fullchain.pem \<br />
--ca-file /var/certificates/$domain/chain.pem<br />
<br />
==== on nginx ====<br />
<br />
Le_ReloadCmd='sudo acmesh-nginxCheck'<br />
<br />
doit être mis dans le fichier de configuration pour le certificat ou ajouter la commande<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
=== Migration to acme.sh ===<br />
==== Paths to update ====<br />
<br />
Paths from /usr/local/etc/letsencrypt or /etc/letsencrypt (OS-dependant path) needs to be updated to /var/certificates (cross-platform path). The private key file is only `key.pem` instead of `privkey.pem`.<br />
<br />
An example is available on https://devcentral.nasqueron.org/D3624<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1927Operations grimoire/TLS certificates2025-05-20T19:35:09Z<p>DorianWinty: /* Deploying of the certificates */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem \<br />
--ca-file /var/certificates/exemple.nasqueron.org/chain.pem<br />
<br />
===== improved command =====<br />
<br />
sudo su acme<br />
<br />
export domain="exemple.nasqueron.org"<br />
<br />
mkdir /var/certificates/$domain<br />
<br />
acme.sh --install-cert -d $domain \<br />
--cert-file /var/certificates/$domain/cert.pem \<br />
--key-file /var/certificates/$domain/key.pem \<br />
--fullchain-file /var/certificates/$domain/fullchain.pem<br />
--ca-file /var/certificates/$domain/chain.pem<br />
<br />
==== on nginx ====<br />
<br />
Le_ReloadCmd='sudo acmesh-nginxCheck'<br />
<br />
doit être mis dans le fichier de configuration pour le certificat ou ajouter la commande<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
=== Migration to acme.sh ===<br />
==== Paths to update ====<br />
<br />
Paths from /usr/local/etc/letsencrypt or /etc/letsencrypt (OS-dependant path) needs to be updated to /var/certificates (cross-platform path). The private key file is only `key.pem` instead of `privkey.pem`.<br />
<br />
An example is available on https://devcentral.nasqueron.org/D3624<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1919Operations grimoire/TLS certificates2025-03-12T21:25:27Z<p>DorianWinty: /* on nginx */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem<br />
<br />
<br />
===== improved command =====<br />
<br />
sudo su acme<br />
<br />
export domain="exemple.nasqueron.org"<br />
<br />
mkdir /var/certificates/$domain<br />
<br />
acme.sh --install-cert -d $domain \<br />
--cert-file /var/certificates/$domain/cert.pem \<br />
--key-file /var/certificates/$domain/key.pem \<br />
--fullchain-file /var/certificates/$domain/fullchain.pem<br />
<br />
==== on nginx ====<br />
<br />
Le_ReloadCmd='sudo acmesh-nginxCheck'<br />
<br />
doit être mis dans le fichier de configuration pour le certificat ou ajouter la commande<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
=== Migration to acme.sh ===<br />
==== Paths to update ====<br />
<br />
Paths from /usr/local/etc/letsencrypt or /etc/letsencrypt (OS-dependant path) needs to be updated to /var/certificates (cross-platform path). The private key file is only `key.pem` instead of `privkey.pem`.<br />
<br />
An example is available on https://devcentral.nasqueron.org/D3624<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1918Operations grimoire/TLS certificates2025-02-10T20:51:54Z<p>DorianWinty: /* Credential lost for a ACME DNS subdomain */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem<br />
<br />
<br />
===== improved command =====<br />
<br />
sudo su acme<br />
<br />
export domain="exemple.nasqueron.org"<br />
<br />
mkdir /var/certificates/$domain<br />
<br />
acme.sh --install-cert -d $domain \<br />
--cert-file /var/certificates/$domain/cert.pem \<br />
--key-file /var/certificates/$domain/key.pem \<br />
--fullchain-file /var/certificates/$domain/fullchain.pem<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
=== Migration to acme.sh ===<br />
==== Paths to update ====<br />
<br />
Paths from /usr/local/etc/letsencrypt or /etc/letsencrypt (OS-dependant path) needs to be updated to /var/certificates (cross-platform path). The private key file is only `key.pem` instead of `privkey.pem`.<br />
<br />
An example is available on https://devcentral.nasqueron.org/D3624<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1878Operations grimoire/TLS certificates2024-11-05T20:34:57Z<p>DorianWinty: /* Deploying of the certificates */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem<br />
<br />
<br />
===== improved command =====<br />
<br />
sudo su acme<br />
<br />
export domain="exemple.nasqueron.org"<br />
<br />
mkdir /var/certificates/$domain<br />
<br />
acme.sh --install-cert -d $domain \<br />
--cert-file /var/certificates/$domain/cert.pem \<br />
--key-file /var/certificates/$domain/key.pem \<br />
--fullchain-file /var/certificates/$domain/fullchain.pem<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1877Operations grimoire/TLS certificates2024-11-05T20:16:48Z<p>DorianWinty: /* Deploying of the certificates */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem \<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1876Operations grimoire/TLS certificates2024-11-05T20:01:19Z<p>DorianWinty: /* Deploying of the certificates */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pem \<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1875Operations grimoire/TLS certificates2024-11-05T20:01:05Z<p>DorianWinty: /* Deploying of the certificates */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/fullchain.pemt.pem \<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1874Operations grimoire/TLS certificates2024-11-05T19:58:22Z<p>DorianWinty: /* Deploying of the certificates */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
acme.sh --install-cert -d exemple.nasqueron.org \<br />
--cert-file /var/certificates/exemple.nasqueron.org/cert.pem<br />
--key-file /var/certificates/exemple.nasqueron.org/key.pem \<br />
--fullchain-file /var/certificates/exemple.nasqueron.org/cert.pem \<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1873Operations grimoire/TLS certificates2024-11-05T19:47:04Z<p>DorianWinty: /* Regenerate certificate how are from certbot */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1872Operations grimoire/TLS certificates2024-11-05T19:45:07Z<p>DorianWinty: /* Regenerate certificate how are from certbot */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
export ACMEDNS_BASE_URL="https://auth.acme-dns.io"<br />
export ACMEDNS_USERNAME="<username>"<br />
export ACMEDNS_PASSWORD="<password>"<br />
export ACMEDNS_SUBDOMAIN="<subdomain>"<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1871Operations grimoire/TLS certificates2024-11-05T19:43:11Z<p>DorianWinty: /* Generate a certificate through DNS */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
export ACMEDNS_BASE_URL="https://acme.nasqueron.org"<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new password in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ export SQLITE_HISTORY=/dev/null<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
You can generate any arbitrary password with any random tool.<br />
It seems UUIDv4 is used by the client code, if you want one, you can use <code>uuidgen -r</code>.<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1867Operations grimoire/TLS certificates2024-11-05T18:51:47Z<p>DorianWinty: /* Generate a certificate through DNS */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com --server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new passw@ord in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1866Operations grimoire/TLS certificates2024-11-05T17:57:04Z<p>DorianWinty: /* acme.sh */</p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
acme.sh should be run with the called "acme" with a <br />
sudo su - acme<br />
<br />
==== Generate a certificate ====<br />
<br />
==== Generate a certificate for several sites ====<br />
<br />
==== Generate a certificate through DNS ====<br />
<br />
For DNS certificate, we need to start the certificate generation, edit the DNS records to add the certificate verification. And launch the end of the certificate generation<br />
<br />
acme.sh --issue --dns dns_acmedns -d example.com <br />
--server letsencrypt<br />
<br />
==== Regenerate certificate how are from certbot ====<br />
<br />
<br />
<br />
==== Renew all certificates ====<br />
<br />
For the certificates renewal, anything is needed the cron tab will try to renew them every day "x" day before the expiracy<br />
<br />
==== Deploying of the certificates ====<br />
<br />
<br />
<br />
==== on nginx ====<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new passw@ord in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1865Operations grimoire/TLS certificates2024-11-05T17:43:29Z<p>DorianWinty: </p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
=== acme.sh ===<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new passw@ord in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/TLS_certificates&diff=1864Operations grimoire/TLS certificates2024-11-05T17:42:57Z<p>DorianWinty: </p>
<hr />
<div>TLS certificates should be used for every service we provide, so we can encrypt the communications.<br />
<br />
== Let's Encrypt ==<br />
=== Certbot commands ===<br />
<br />
'''acme-v02 migration.''' If you've a complaint acme-v01.api. isn't available, add <code>--server https://acme-v02.api.letsencrypt.org/directory</code>.<br />
<br />
'''T1505 alignment.''' We don't use anymore Certbot as a Docker container on paas-docker role. As such, all paths are now unified. Symlinks have been added to old /srv paths to help transition.<br />
<br />
==== Generate a certificate ====<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "service nginx reload" -d foo.nasqueron.org</code><br />
<br />
<code>certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto --deploy-hook "systemctl reload nginx" -d foo.nasqueron.org</code><br />
<br />
==== Generate a certificate for several sites ====<br />
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code><br />
<br />
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.<br />
<br />
==== Generate a certificate through DNS ====<br />
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:<br />
<br />
certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org<br />
<br />
From December 2023, you can use this command on FreeBSD servers where {{T|1505}} Let's Encrypt standard installation have been deployed:<br />
<br />
certbot certonly --manual --manual-auth-hook /usr/local/etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d subdomain.nasqueron.org<br />
<br />
This uses a specialized DNS server deployed on our Docker PaaS to serve dynamic TLS records under .acme.nasqueron.org, {{Ops file|roles/paas-docker/containers/acme_dns.sls}}.<br />
<br />
Support files were previously '''only deployed to paas-docker role''' through {{Ops file|roles/paas-docker/letsencrypt/files}}.<br />
<br />
==== Renew all certificates ====<br />
<code>certbot renew</code><br />
<br />
==== Installation on nginx ====<br />
===== Allow Let's encrypt validation =====<br />
<br />
include includes/letsencrypt;<br />
<br />
This will use {{Ops file|roles/webserver-core/nginx/files/includes/letsencrypt}} nginx configuration.<br />
<br />
===== Serve TLS certificate =====<br />
<br />
include includes/tls;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
This will configure a compromise between security and compatibility, based on Intermediate Mozilla SSL config<ref>https://ssl-config.mozilla.org/</ref>. The current configuration is served by {{Ops file|roles/webserver-core/nginx/files/includes/tls}}.<br />
<br />
If you prefer to restrict the resource for TLS 1.3, and accepts to block legacy clients, you can also use with {{D|3251}}:<br />
<br />
include includes/tls-modern-only;<br />
ssl_certificate /srv/letsencrypt/etc/live/xmpp.nasqueron.org/fullchain.pem;<br />
ssl_certificate_key /srv/letsencrypt/etc/live/xmpp.nasqueron.org/privkey.pem;<br />
<br />
==== Edit renewal hook ====<br />
In /etc/letsencrypt/renewal or /usr/local/etc/letsencrypt/renewal you can edit this section to customize the command to run after renewal:<br />
<br />
[renewalparams]<br />
renew_hook = systemctl reload nginx<br />
<br />
That can be applied in batch when nothing is set: <code><nowiki>gsed -i "s/\[\[webroot_map]]/renew_hook = systemctl reload nginx\n\n[[webroot_map]]/g" *.conf</nowiki></code><br />
<br />
=== Install certbot on CentOS 10 stream ===<br />
<br />
Packages for Python 3.12 currently used as of 2024-08-04 on CentOS 10 stream can be fetched from Fedora 40 repository.<br />
<br />
Installation on Dwellers was done like this:<br />
<br />
mkdir /tmp/certbot && cd /tmp/certbot<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/c/certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-acme-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-certbot-2.9.0-1.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-configargparse-1.7-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-josepy-1.13.0-8.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-parsedatetime-2.6-12.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyOpenSSL-23.2.0-3.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pyrfc3339-1.1-18.fc40.noarch.rpm<br />
wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/p/python3-pytz-2024.1-1.fc40.noarch.rpm<br />
dnf install ./*.rpm<br />
<br />
== acme.sh ==<br />
<br />
== Nasqueron PKI ==<br />
=== Principles ===<br />
Internal PKI material are stored in Vault, see [[Operations grimoire/Vault]] for information about how to generate, renew, etc.<br />
<br />
In the operations repository, the {{Ops file|roles/core/certificates}} unit is responsible to deploy <code>nasqueron-vault-ca.crt</code>, used to authenticate for *.nasqueron.drake or IP services. For exemple, Vault clients require a certificate they can validate with a chain from that intermediate CA. Note as we don't currently use the root CA, a fullchain is probably not needed for those services.<br />
<br />
=== Rollover a new certificate ===<br />
If <code>nasqueron-vault-ca.crt</code> is updated or if we want instead to provision the root certificate, the following repository need to be updated and services to be redeployed:<br />
<br />
{| class="wikitable sortable"<br />
|+ Where to update certificate?<br />
|-<br />
! Repository !! Path !! Purpose !! Deployment instructions<br />
|-<br />
| operations || {{Ops file|roles/core/certificates/files/}} || Trust internal resources on every server || Salt: <code>salt '*' state.apply roles/core/certificates</code><br />
|-<br />
| docker-airflow || [https://devcentral.nasqueron.org/source/docker-airflow/browse/main/files files/] || Connect to Vault from Airflow Python code || Docker: build and deploy new image nasqueron/airflow on Dwellers<br />
|}<br />
<br />
Deployment instructions are up-to-date when newly added on that table. Afterwards, they should be checked against current procedures.<br />
<br />
== Special considerations ==<br />
=== New server ===<br />
Let's encrypt client is available on [[Ysul]] (natively) and [[Dwellers]] (as a wrapper script for a Docker container).<br />
<br />
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.<br />
<br />
A salt state would be nice for such purpose. There is work-in-progress on that matter through {{D|3248}}.<br />
<br />
=== Internationalized domain names ===<br />
==== Punycode conversion ====<br />
Both for web server configuration and certificate authority, name must be converted to Punycode ([https://www.ietf.org/rfc/rfc3492.txt RFC 3492]): <br />
https://www.punycoder.com/<br />
<br />
==== Let's encrypt support ====<br />
<br />
Let's encrypt has supported IDN since 2016<ref>https://letsencrypt.org/2016/10/21/introducing-idn-support.html</ref>. We use it for dægrefn.nasqueron.org certificate.<br />
<br />
Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.<br />
<br />
==== StartSSL ====<br />
<br />
StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.<br />
<br />
== Troubleshoot ==<br />
=== Acme DNS ===<br />
==== Can't reach ACME DNS API / HTTP Error 403: Forbidden ====<br />
AcmeDNS API access is restricted to IPs addresses set in {{Ops file|roles/webserver-core/nginx/files/includes/geo_nasqueron}}.<br />
<br />
If you got a 403 by running acme.sh (only visible in --debug mode):<br />
* If the IP address is missing from geo_nasqueron, add it<br />
* If the IP address is already there, check on the server if /etc/nginx/includes/geo_nasqueron matches<br />
** Yes -> nginx must be reloaded (nginx -t reload)<br />
** No -> Deploy with <code>salt docker-002 state.sls_id /etc/nginx/includes/geo_nasqueron roles/webserver-core/nginx</code><br />
<br />
Another solution is a specific routing to reach the API: <br />
For Hervil, add a route to use router-001 gateway: route add 51.255.124.8/30 172.27.27.1<br />
<br />
==== Troubleshoot records in ACME DNS database ====<br />
To check the acme.nasqueron.org subdomain matching your _acme-challenge subdomain: <code>nslookup -type=TXT _acme-challenge.<subdomain>.nasqueron.org</code><br />
<br />
The DNS server to store acme.nasqueron.org records uses a sqlite3 database. To connect and check your parameters:<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/lib/acme-dns.db<br />
SELECT Username, Password FROM records WHERE Subdomain = "<DNS answer>"<br />
<br />
==== Credential lost for a ACME DNS subdomain ====<br />
<br />
Passwords are [https://github.com/joohoi/acme-dns/blob/9c6ca258e1d57e7441b60db4474a68c36356dae2/validation.go hashed with bcrypt], so it's not possible to recover them.<br />
<br />
In that case, there are two options:<br />
<br />
* if you prefer edit the DNS record, delete acme.sh information for the domain renewal then issue a new certificate, that will register a new account<br />
* if you prefer edit the ACME DNS database, encrypt a new passw@ord in bcrypt and update it with sqlite<br />
<br />
Certificates requests are limited by Let's Encrypt, updating the password avoids to reach that quota.<br />
<br />
You can generate a uuid and pass it to bcrypt, or register a new password (and update DNS):<br />
<br />
$ ssh docker-002<br />
$ sqlite3 /srv/acme/. lib/acme-dns.db<br />
UPDATE records SET Password = "<new bcrypt hash>" WHERE Subdomain = "<DNS answer>"<br />
<br />
To get password hash with bcrypt, you can use psysh on WindRiver:<br />
<br />
$ psysh<br />
password_hash("alpha", PASSWORD_BCRYPT)<br />
$2y$10$N17lnt09YFIoVY4025AmCuGrlmA.ZiThm.RDufcakGq9.3IK4xVcW<br />
<br />
Replace $2y$ by $2a$ as x and y are unique for PHP, the rest of the world uses $2a$.<br />
<br />
== Notes & references ==<br />
<references /></div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Mail&diff=1613Operations grimoire/Mail2024-10-03T20:06:25Z<p>DorianWinty: /* Network */</p>
<hr />
<div>The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.<br />
<br />
<div style="float: right; width: 22em; border: solid 2px black; padding: 1em;><br />
'''{{FULLPAGENAME}}'''<br />
{{Special:Prefixindex/{{FULLPAGENAME}}/}}<br />
</div><br />
<br />
== Third party services ==<br />
Mainly, they provide configuration wizards, logs, and API keys on a web interface.<br />
<br />
[[Operations grimoire/External services]] says who to contact to debug any issue, configure them, etc.<br />
<br />
== Nasqueron mail services ==<br />
=== Architecture ===<br />
We use the following servers:<br />
* Postfix<br />
** 25 is for mail servers<br />
** 587 is for STARTTLS + user auth<br />
* dovecot for IMAP / POP<br />
* SpamAssassin, OpenDKIM (see [[/DKIM]])<br />
* Sympa for the mailing lists<br />
* MySQL to store user accounts mailboxes and sympa data<br />
* nginx to serve web applications<br />
<br />
/etc/postfix and /etc/dovecot are Git repositories, so commit your configuration changes.<br />
<br />
User accounts are stored in a MySQL database. They are managed by ViMbAdmin (on https://vma.nasqueron.org).<br />
<br />
Sympa manages the mailing lists.<br />
<br />
A nginx server serves vma as vma.nasqinternal, Roundcube as mail.nasqinternal and Sympa.<br />
On Dwellers, nginx assumes SSL termination and the relevant vhosts like mail.nasqueron.org, mail.wolfplex.be, etc.<br />
<br />
All that should be migrated to configuration as code to be managed through Salt.<br />
<br />
A lxc container has been chosen for more stability: Docker assumes we can respin containers, host OS can change. The lxc container is isolated, stable and lxc doesn't ask restarts.<br />
<br />
=== Log in to the server ===<br />
Mail server lives on the lxc container <code>mailserver</code> on [[Dwellers]].<br />
<br />
To access it, you must so:<br />
* ssh dwellers<br />
* attach to the container (<code>lxc-attach -n mailserver [tcsh]</code>)<br />
<br />
If you need to access a lxc container, you can script something do to:<br />
<code>$SSH $LXC_SERVER $LXC_EXEC $CONTAINER_NAME $LXC_COMMAND</code><br />
<br />
Here, it would be <code>ssh -t dwellers.nasqueron.org sudo lxc-attach -n mailserver tcsh</code>.<br />
<br />
To be able to use sudo for lxc-attach, you must belong to the `ops` group.<br />
<br />
=== Add a domain ===<br />
<br />
# Add it to https://vma.nasqueron.org<br />
# Follow [[/DKIM]] procedure<br />
<br />
It's ready.<br />
<br />
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.<br />
<br />
== New deploy thinking ==<br />
<br />
{| class="wikitable"<br />
|+ pour ou contre<br />
|-<br />
! ViMbAdmin aventage <br />
! ViMbAdmin inconvenient <br />
! Salt pillar aventage <br />
! Salt pillar inconvenient<br />
|-<br />
| Ediatable interface <br />
| Configuration splited<br />
| Unified configuration <br />
| Private salt repository needed for privacy<br />
|-<br />
| Easy to use interface<br />
| Should be installed on the same server as the mailserver<br />
| <br />
| <br />
|-<br />
| Easy solution for users to changes their passwords<br />
| <br />
| <br />
| <br />
|-<br />
| An administrator of an external domain for hosting of other open source project<br />
| <br />
| <br />
| <br />
|-<br />
|<br />
| <br />
| <br />
| <br />
|}<br />
<br />
== Hervil ==<br />
<br />
=== Network ===<br />
Routing tables<br />
<br />
Internet:<br />
Destination Gateway Flags Netif Expire<br />
default 51.210.99.254 UGS vmx1<br />
51.210.99.254 link#2 UHS vmx1<br />
51.255.124.8/30 172.27.27.1 UGS vmx0<br />
<br />
For SPF record we need to make the mail go out from the ip : 51.210.99.254<br />
To permit acme.sh we make a route thrugh router.OO1<br />
<br />
== Troubleshoot ==<br />
=== Dashboards ===<br />
On Grafana, the following dashboards are available:<br />
* [https://grafana.nasqueron.org/d/h36Havfik/postfix-legacy-dashboard?orgId=1 Postfix]<br />
<br />
The following dashboards are missing, feel free to create one:<br />
* Dovecot<br />
<br />
=== Logs ===<br />
On FreeBSD servers, mail logs are consolidated into <code>/var/log/maillog</code> by syslog daemon.<br />
<br />
=== Test to send e-mail with telnet or openssl clients ===<br />
<br />
You can test STARTTLS with openssl s_client:<br />
<br />
openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf <br />
<br />
Flags:<br />
* The -starttls smtp option is the one to send the STARTTLS command<br />
* The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO).<br />
* The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.<br />
<br />
=== @nasqueron.org must be sent through mail.nasqueron.org ===<br />
A SPF record ''v=spf1 a:mail.nasqueron.org -all'' should exist.<br />
<br />
If set, any application app.nasqueron.org should:<br />
* send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;<br />
* define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.</div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Mail&diff=1612Operations grimoire/Mail2024-10-03T20:05:07Z<p>DorianWinty: </p>
<hr />
<div>The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.<br />
<br />
<div style="float: right; width: 22em; border: solid 2px black; padding: 1em;><br />
'''{{FULLPAGENAME}}'''<br />
{{Special:Prefixindex/{{FULLPAGENAME}}/}}<br />
</div><br />
<br />
== Third party services ==<br />
Mainly, they provide configuration wizards, logs, and API keys on a web interface.<br />
<br />
[[Operations grimoire/External services]] says who to contact to debug any issue, configure them, etc.<br />
<br />
== Nasqueron mail services ==<br />
=== Architecture ===<br />
We use the following servers:<br />
* Postfix<br />
** 25 is for mail servers<br />
** 587 is for STARTTLS + user auth<br />
* dovecot for IMAP / POP<br />
* SpamAssassin, OpenDKIM (see [[/DKIM]])<br />
* Sympa for the mailing lists<br />
* MySQL to store user accounts mailboxes and sympa data<br />
* nginx to serve web applications<br />
<br />
/etc/postfix and /etc/dovecot are Git repositories, so commit your configuration changes.<br />
<br />
User accounts are stored in a MySQL database. They are managed by ViMbAdmin (on https://vma.nasqueron.org).<br />
<br />
Sympa manages the mailing lists.<br />
<br />
A nginx server serves vma as vma.nasqinternal, Roundcube as mail.nasqinternal and Sympa.<br />
On Dwellers, nginx assumes SSL termination and the relevant vhosts like mail.nasqueron.org, mail.wolfplex.be, etc.<br />
<br />
All that should be migrated to configuration as code to be managed through Salt.<br />
<br />
A lxc container has been chosen for more stability: Docker assumes we can respin containers, host OS can change. The lxc container is isolated, stable and lxc doesn't ask restarts.<br />
<br />
=== Log in to the server ===<br />
Mail server lives on the lxc container <code>mailserver</code> on [[Dwellers]].<br />
<br />
To access it, you must so:<br />
* ssh dwellers<br />
* attach to the container (<code>lxc-attach -n mailserver [tcsh]</code>)<br />
<br />
If you need to access a lxc container, you can script something do to:<br />
<code>$SSH $LXC_SERVER $LXC_EXEC $CONTAINER_NAME $LXC_COMMAND</code><br />
<br />
Here, it would be <code>ssh -t dwellers.nasqueron.org sudo lxc-attach -n mailserver tcsh</code>.<br />
<br />
To be able to use sudo for lxc-attach, you must belong to the `ops` group.<br />
<br />
=== Add a domain ===<br />
<br />
# Add it to https://vma.nasqueron.org<br />
# Follow [[/DKIM]] procedure<br />
<br />
It's ready.<br />
<br />
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.<br />
<br />
== New deploy thinking ==<br />
<br />
{| class="wikitable"<br />
|+ pour ou contre<br />
|-<br />
! ViMbAdmin aventage <br />
! ViMbAdmin inconvenient <br />
! Salt pillar aventage <br />
! Salt pillar inconvenient<br />
|-<br />
| Ediatable interface <br />
| Configuration splited<br />
| Unified configuration <br />
| Private salt repository needed for privacy<br />
|-<br />
| Easy to use interface<br />
| Should be installed on the same server as the mailserver<br />
| <br />
| <br />
|-<br />
| Easy solution for users to changes their passwords<br />
| <br />
| <br />
| <br />
|-<br />
| An administrator of an external domain for hosting of other open source project<br />
| <br />
| <br />
| <br />
|-<br />
|<br />
| <br />
| <br />
| <br />
|}<br />
<br />
== Hervil ==<br />
<br />
=== Network ===<br />
Routing tables<br />
<br />
Internet:<br />
Destination Gateway Flags Netif Expire<br />
default 51.210.99.254 UGS vmx1<br />
51.210.99.254 link#2 UHS vmx1<br />
51.255.124.8/30 172.27.27.1 UGS vmx0<br />
<br />
For SPF record we need to make the mail go out from the ip : 51.210.99.254<br />
To permit acme.sh we make a route thrugh router.OO1<br />
<br />
== Troubleshoot ==<br />
=== Dashboards ===<br />
On Grafana, the following dashboards are available:<br />
* [https://grafana.nasqueron.org/d/h36Havfik/postfix-legacy-dashboard?orgId=1 Postfix]<br />
<br />
The following dashboards are missing, feel free to create one:<br />
* Dovecot<br />
<br />
=== Logs ===<br />
On FreeBSD servers, mail logs are consolidated into <code>/var/log/maillog</code> by syslog daemon.<br />
<br />
=== Test to send e-mail with telnet or openssl clients ===<br />
<br />
You can test STARTTLS with openssl s_client:<br />
<br />
openssl s_client -connect mail.nasqueron.org:587 -starttls smtp -ign_eof -crlf <br />
<br />
Flags:<br />
* The -starttls smtp option is the one to send the STARTTLS command<br />
* The -ign_eof flag disables interactive commands, to avoid to renegotiate the TLS session when you press R (like in RCPT TO).<br />
* The -crlf flag doesn't seem needed on FreeBSD, but seem needed on Fedora. It allows to always use \CR\LF (\r\n) as EOL.<br />
<br />
=== @nasqueron.org must be sent through mail.nasqueron.org ===<br />
A SPF record ''v=spf1 a:mail.nasqueron.org -all'' should exist.<br />
<br />
If set, any application app.nasqueron.org should:<br />
* send mails using @app.nasqueron.org domain, not the generic @nasqueron.org one;<br />
* define SPF and if possible DKIM records for this @app.nasqueron.org mail domain.</div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Changelog&diff=1534Operations grimoire/Changelog2024-07-04T17:12:11Z<p>DorianWinty: </p>
<hr />
<div>== 2024 ==<br />
=== July 2024 ===<br />
* [2024-07-07 20:30] [WindRiver] <Dereckson> Upgrade done.<br />
* [2024-07-07 19:50] [WindRiver] <Dereckson> Upgrade to FreeBSD 14.1. Rebooting.<br />
* [2024-07-04 19:10] [Complector] <DorianWinty> Reinstall Git</div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/PostgreSQL&diff=1527Operations grimoire/PostgreSQL2024-06-20T19:50:22Z<p>DorianWinty: </p>
<hr />
<div>PostgreSQL is available as a standalone role and can also be enabled on devserver.<br />
<br />
Applications on the Docker PaaS can use our PostgreSQL infrastructure (Airflow, datasources) or have their own container (Sentry, with custom wal2json extension). This resource documents our own db- servers.<br />
<br />
== Howto ==<br />
<br />
=== Open a console === <br />
Use peer authentication from the postgres user: <code>sudo -u postgres psql</code><br />
<br />
=== Run queries against database ===<br />
The important things are:<br />
<br />
# prepare the operation with a .sql file<br />
# put that SQL file to a task<br />
# avoid data destruction and allow rollback<br />
## if a table needs to be dropped, we can rename it to _unused<br />
## if an application doesn't use a column anymore, we can rename it from foo to foo_unused so we can rollback by renaming back<br />
## actual deletion can be done some weeks later<br />
<br />
Recommend procedure:<br />
<br />
# Create a task on DevCentral or reuse an existing deployment task<br />
# Upload the .sql file on DevCentral or to a repository:<br />
## One-shot maintenance can go to https://devcentral.nasqueron.org/paste/ or sent with <code>cat foo.sql | arc paste --title foo.sql --</code><br />
## Regular queries can go to the [https://devcentral.nasqueron.org/source/reports/browse/main/sql/ reports repository]<br />
# Link it in the task<br />
# Run it<br />
<br />
To run foo.sql against acme database:<br />
<br />
# upload the foo.sql file to the relevant server (for example db-A-001 for db-A cluster)<br />
# <code>sudo -u postgres psql acme < foo.sql</code><br />
<br />
=== Create a new database or user ===<br />
<br />
It's a simple two steps process:<br />
<br />
# Edit the relevant pillar file, for example pillar/dbserver/cluster-A.sls in rOPS<br />
# Deploy the change: <code>salt db-A-001 state.apply roles/dbserver-pgsql</code><br />
<br />
You generally need:<br />
<br />
* an user block in dbserver_postgresql.users<br />
** block title is the username<br />
** a password needs to be set in Flow, key is under ops/secrets/<br />
* a database block<br />
* a connection triplet db, user, ips (use /32 for an unique IP)<br />
<br />
By default, external connections are NOT enabled for any user and database, an entry for pg_hba.conf MUST be added in connections part.<br />
<br />
Servers don't have a public ICANN IP, so you can only connect from other Nasqueron servers.<br />
<br />
=== Grant privileges to an user ===<br />
<br />
Some applications don't set privileges, even if they own the database. That's for example the case of Orbeon Forms DDL.<br />
<br />
To determine if acme has already the rights on the database:<br />
<br />
SELECT grantor, grantee, table_schema, table_name, privilege_type<br />
FROM information_schema.table_privileges<br />
WHERE grantee = 'acme';<br />
<br />
If not:<br />
<br />
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO acme;<br />
<br />
This set of privileges can be handled directly by Salt in cluster privileges definition:<br />
<br />
privileges:<br />
- database: <database name><br />
scope: table<br />
schema: public<br />
tables:<br />
- ALL<br />
privileges:<br />
- ALL<br />
<br />
See {{D|3252}} or {{D|3253}} for an example.<br />
<br />
As a known issue, this query will ALWAYS be executed by Salt.<br />
<br />
; Sequences privileges<br />
<br />
Sequences aren't included in that GRANT ALL PRIVILEGES. We can generate GRANT queries for them:<br />
<br />
SELECT 'GRANT USAGE ON SEQUENCE ' || sequence_schema || '.' || sequence_name || ' TO "acme";'<br />
FROM information_schema.sequences<br />
WHERE sequence_schema NOT LIKE 'pg_%'<br />
AND sequence_schema != 'information_schema';<br />
<br />
=== What to do after an update of PostgreSQL servers? ===<br />
<br />
The following services need their connection to explicitly be restarted:<br />
<br />
{| class="wikitable"<br />
|+ Services to tweak<br />
|-<br />
! Cluster !! Service !! Procedure<br />
|-<br />
| A || Airflow > airflow_triggerer || On Dwellers, docker restart airflow_triggerer<br />
|-<br />
| A || Airflow > airflow_scheduler || On Dwellers, docker restart airflow_scheduler<br />
|}<br />
<br />
== Clusters ==<br />
<br />
Letters can be discontinuous: for example, B will be a MySQL cluster.<br />
<br />
=== Cluster A ===<br />
A is the general cluster, for Nasqueron services. It currently has one server, db-A-001.<br />
<br />
{| class="wikitable"<br />
|+ Databases<br />
|-<br />
! Database !! Managed by !! Description<br />
|-<br />
| airflow || Nasqueron Ops || Workflows runner, used by datasources<br />
|-<br />
| fantoir || Datasources || PostgreSQL version of FANTOIR for geocoding<br />
|}<br />
<br />
== Troubleshoot ==<br />
=== An application stops to work correctly with PostgreSQL ===<br />
Issues with queries are logged to /var/log/messages:<br />
<br />
$ tail -n100 -f /var/log/messages | grep postgres<br />
<br />
For example, {{T|1943}} issue was found with this line:<br />
<br />
Jan 14 23:13:58 db-A-001 postgres[35351]: [8-1] 2024-01-14 23:13:58.081 UTC [35351] ERROR: unsupported XML feature<br />
<br />
=== Unsupported XML feature ===<br />
For Orbeon, XML support is required. That's not by default the case on FreeBSD, the port needs to be built manually. That's the case when provisioning a new server through {{Ops file|roles/dbserver-pgsql/server/build.sls}} but upgrade can break this port.<br />
<br />
If so, rebuild the package. For that, you can follow the instructions of [[Operations grimoire/FreeBSD]], section PostgreSQL. <br />
<br />
=== Some postgres_privileges.present are always changed by Salt ===<br />
<br />
Some ON ALL TABLE privilege queries are always run by the Salt PostgreSQL execution module. For example:<br />
<br />
ID: dbserver_pgsql_user_orbeon_privilege_2_ALL<br />
Function: postgres_privileges.present<br />
Name: orbeon<br />
Result: True<br />
Comment: The privilege(s): ALL have been granted to orbeon<br />
Started: 21:54:53.656120<br />
Duration: 284.394 ms<br />
Changes: <br />
----------<br />
orbeon:<br />
Present<br />
<br />
Those statements aren't idempotent. This is a known issue, and doesn't affect deployment.</div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Mail&diff=1526Operations grimoire/Mail2024-06-18T20:46:27Z<p>DorianWinty: </p>
<hr />
<div>The mail infrastructure is shared between third party services (Mailgun, Sendgrid) for web applications willing to use API and our own mail server for regular mailboxes.<br />
<br />
<div style="float: right; width: 22em; border: solid 2px black; padding: 1em;><br />
'''{{FULLPAGENAME}}'''<br />
{{Special:Prefixindex/{{FULLPAGENAME}}/}}<br />
</div><br />
<br />
== Third party services ==<br />
Mainly, they provide configuration wizards, logs, and API keys on a web interface.<br />
<br />
[[Operations grimoire/External services]] says who to contact to debug any issue, configure them, etc.<br />
<br />
== Nasqueron mail services ==<br />
=== Architecture ===<br />
We use the following servers:<br />
* Postfix<br />
** 25 is for mail servers<br />
** 587 is for STARTTLS + user auth<br />
* dovecot for IMAP / POP<br />
* SpamAssassin, OpenDKIM (see [[/DKIM]])<br />
* Sympa for the mailing lists<br />
* MySQL to store user accounts mailboxes and sympa data<br />
* nginx to serve web applications<br />
<br />
/etc/postfix and /etc/dovecot are Git repositories, so commit your configuration changes.<br />
<br />
User accounts are stored in a MySQL database. They are managed by ViMbAdmin (on https://vma.nasqueron.org).<br />
<br />
Sympa manages the mailing lists.<br />
<br />
A nginx server serves vma as vma.nasqinternal, Roundcube as mail.nasqinternal and Sympa.<br />
On Dwellers, nginx assumes SSL termination and the relevant vhosts like mail.nasqueron.org, mail.wolfplex.be, etc.<br />
<br />
All that should be migrated to configuration as code to be managed through Salt.<br />
<br />
A lxc container has been chosen for more stability: Docker assumes we can respin containers, host OS can change. The lxc container is isolated, stable and lxc doesn't ask restarts.<br />
<br />
=== Log in to the server ===<br />
Mail server lives on the lxc container <code>mailserver</code> on [[Dwellers]].<br />
<br />
To access it, you must so:<br />
* ssh dwellers<br />
* attach to the container (<code>lxc-attach -n mailserver [tcsh]</code>)<br />
<br />
If you need to access a lxc container, you can script something do to:<br />
<code>$SSH $LXC_SERVER $LXC_EXEC $CONTAINER_NAME $LXC_COMMAND</code><br />
<br />
Here, it would be <code>ssh -t dwellers.nasqueron.org sudo lxc-attach -n mailserver tcsh</code>.<br />
<br />
To be able to use sudo for lxc-attach, you must belong to the `ops` group.<br />
<br />
=== Add a domain ===<br />
<br />
# Add it to https://vma.nasqueron.org<br />
# Follow [[/DKIM]] procedure<br />
<br />
It's ready.<br />
<br />
You can also be willing to declare the domain to autoconfig/autodiscover, but that's blocked by https://devcentral.nasqueron.org/T1116.<br />
<br />
== New deploy thinking ==<br />
<br />
{| class="wikitable"<br />
|+ pour ou contre<br />
|-<br />
! ViMbAdmin aventage <br />
! ViMbAdmin inconvenient <br />
! Salt pillar aventage <br />
! Salt pillar inconvenient<br />
|-<br />
| Ediatable interface <br />
| Configuration splited<br />
| Unified configuration <br />
| Private salt repository needed for privacy<br />
|-<br />
| Easy to use interface<br />
| Should be installed on the same server as the mailserver<br />
| <br />
| <br />
|-<br />
| Easy solution for users to changes their passwords<br />
| <br />
| <br />
| <br />
|-<br />
| An administrator of an external domain for hosting of other open source project<br />
| <br />
| <br />
| <br />
|-<br />
|<br />
| <br />
| <br />
| <br />
|}</div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Create_and_revoke_user_accounts_on_Salt_servers&diff=1144Operations grimoire/Create and revoke user accounts on Salt servers2023-04-02T18:26:28Z<p>DorianWinty: </p>
<hr />
<div>== Create an user ==<br />
# Add entry to shellusers in the <code>pillar/core/users.sls</code><br />
## uid: you can run <code>utils/next-uid.py</code> to generate one (if not, take the greatest 2xxx and do +1)<br />
## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh<br />
## fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)<br />
<br />
== Revoke an user ==<br />
# Keep the entry in shellusers at pillar/core/users.sls <br />
# Append the element to the 'revokedusers' list<br />
# Remove it from relevant groups in pillar/core/groups.sls<br />
<br />
== Assign an user to a group ==<br />
If you only put an user in shellusers, that's a no op operation.<br />
<br />
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Group !! Description !! Example of servers<br />
|-<br />
| shell || Shell access on Eglide (e.g. for IRC purpose) || eglide.org<br />
|-<br />
| ops || Nasqueron Operations || Access everywhere<br />
|-<br />
| nasquenautes || Shell access on Nasqueron dev servers || ysul, WindRiver<br />
|}<br />
<br />
Generally, the target groups are `shell` or `nasquenautes`.<br />
<br />
Some specialized groups exist for a particular piece of software or service.<br />
It's generally ignored when adding a new user.<br />
<br />
== Run the Salt ==<br />
If you've access to the Salt primary server in production:<br />
<br />
<code>salt eglide state.apply roles/core/users</code><br />
<br />
Or locally while Eglide doesn't have have a direct access to the Salt primary server:<br />
<br />
<code>sudo salt-call --local state.apply roles/shellserver/users</code><br />
<br />
Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this.<br />
<br />
See [[Operations grimoire/Deploy with Salt]].</div>DorianWintyhttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Create_and_revoke_user_accounts_on_Salt_servers&diff=1143Operations grimoire/Create and revoke user accounts on Salt servers2023-04-02T18:26:07Z<p>DorianWinty: </p>
<hr />
<div>== Create an user ==<br />
# Add entry to shellusers in the <code>pillar/core/users.sls</code><br />
## uid: you can run <code>utils/next-uid.py</code> to generate one (if not, take the greatest 2xxx and do +1)<br />
## shell: default shell is bash, other availables are fish / nologin / tcsh / zsh<br />
## fullname: this is a public information, so publish only if the user is comfortable with that (ie if they publish the full name elsewhere like DevCentral, GitHub, etc.)<br />
<br />
== Revoke an user ==<br />
# Keep the entry in shellusers at pillar/core/users.sls <br />
# Append the element to the 'revokedusers' list<br />
# Remove it from relevant groups in pillar/core/groups.sls<br />
<br />
== Assign an user to a group ==<br />
If you only put an user in shellusers, that's a no op operation.<br />
<br />
Each server take users through the shellgroups dictionary in pillar/core/groups.sls.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Group !! Description !! Example of servers<br />
|-<br />
| shell || Shell access on Eglide (e.g. for IRC purpose) || eglide.org<br />
|-<br />
| ops || Nasqueron Operations || Access everywhere<br />
|-<br />
| nasquenautes || Shell access on Nasqueron dev servers || ysul, WindRiver<br />
|}<br />
<br />
Generally, the target groups are `shell` or `nasquenautes`.<br />
<br />
Some specialized groups exist for a particular piece of software or service.<br />
It's generally ignored when adding a new user.<br />
<br />
== Run the Salt ==<br />
If you've access to the Salt primary server in production:<br />
<br />
<code>salt eglide state.apply oles/core/users</code><br />
<br />
Or locally while Eglide doesn't have have a direct access to the Salt primary server:<br />
<br />
<code>sudo salt-call --local state.apply roles/shellserver/users</code><br />
<br />
Take care of the SSH key changes during the output. Please notify concerned users about any SSH keys change when running this.<br />
<br />
See [[Operations grimoire/Deploy with Salt]].</div>DorianWinty