Operations grimoire/TLS certificates: Difference between revisions

From Nasqueron Agora
(→‎Internationalized domain names: IDN now at LE, not more at StartSSL)
Line 20: Line 20:


If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.
=== Generate a certificate through DNS ===
DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:
    certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org
It uses {{Ops file|roles/paas-docker/containers/acme_dns.sls}} service to serve dynamic TXT records.


=== Renew all certificates ===
=== Renew all certificates ===

Revision as of 16:26, 9 June 2023

SSL certificates should be used for every service we provide.

Let's encrypt commands

2016-07-31 utility rename. Client upgraded on Ysul. New client name is certbot, not anymore letsencrypt.

acme-v02 migration. If you've a complaint acme-v01.api. isn't available, add --server https://acme-v02.api.letsencrypt.org/directory.

Generate a certificate

Devserver role, for example Ysul or WindRiver (/var/letsencrypt-auto folder) :

certbot certonly -a webroot --webroot-path=/var/letsencrypt-auto -d foo.nasqueron.org

Dwellers (container will use /www):

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory -a webroot --webroot-path=/www -d bar.nasqueron.org

Generate a certificate for several sites

-d foo.nasqueron.org -d bar.nasqueron.org

If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.

Generate a certificate through DNS

DNS can be used to generate certificates for domains. For example, the Openfire XMPP certificate is generated like this:

   certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenges -d xmpp.nasqueron.org -d nasqueron.org -d conference.nasqueron.org

It uses rOPS: roles/paas-docker/containers/acme_dns.sls service to serve dynamic TXT records.

Renew all certificates

Ysul: certbot renew

Dwellers: letsencrypt renew

Installation on nginx

Allow Let's encrypt validation

Serve SSL certificate

Special considerations

New server

Let's encrypt client is available on Ysul (natively) and Dwellers (as a wrapper script for a Docker container).

Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.

A salt state would be nice for such purpose.

Internationalized domain names

Punycode conversion

Both for web server configuration and certificate authority, name must be converted to Punycode (RFC 3492): https://www.punycoder.com/

Let's encrypt support

Let's encrypt has supported IDN since 2016[1]. We use it for dægrefn.nasqueron.org certificate.

Previously, they were afraid: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.

StartSSL

StartSSL is not in activity anymore. It was used at Nasqueron when Let's Encrypt didn't support IDN.

Notes & references