Operations grimoire/TLS certificates: Difference between revisions
(Created page with "SSL certificates should be used for every service we provide. == Special considerations == === New server === Let's encrypt client is available on Ysul (natively) and D...") |
No edit summary |
||
| Line 1: | Line 1: | ||
SSL certificates should be used for every service we provide. | SSL certificates should be used for every service we provide. | ||
== Let's encrypt commands == | |||
=== Generate a certificate === | |||
Ysul (/var/letsencrypt-auto folder) : | |||
<code>letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=/var/letsencrypt-auto -d foo.nasqueron.org</code> | |||
Dwellers (container will use /www): | |||
<code>letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=/www -d bar.nasqueron.org</code> | |||
=== Generate a certificate for several sites === | |||
<code>-d foo.nasqueron.org -d bar.nasqueron.org</code> | |||
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea. | |||
=== Renew all certificates === | |||
letsencrypt renew | |||
=== Installation on nginx === | |||
==== Allow Let's encrypt validation ==== | |||
==== Serve SSL certificate ==== | |||
== Special considerations == | == Special considerations == | ||
Revision as of 15:35, 24 July 2016
SSL certificates should be used for every service we provide.
Let's encrypt commands
Generate a certificate
Ysul (/var/letsencrypt-auto folder) :
letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=/var/letsencrypt-auto -d foo.nasqueron.org
Dwellers (container will use /www):
letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=/www -d bar.nasqueron.org
Generate a certificate for several sites
-d foo.nasqueron.org -d bar.nasqueron.org
If a certificate for foo already existed, it will offer to extend it to a new alternative name, which is probably a good idea.
Renew all certificates
letsencrypt renew
Installation on nginx
Allow Let's encrypt validation
Serve SSL certificate
Special considerations
New server
Let's encrypt client is available on Ysul (natively) and Dwellers (as a wrapper script for a Docker container).
Fill a task in Servers component, subscribe Sandlayth and Dereckson to deploy it on a new server.
A salt state would be nice for such purpose.
Internationalized domain names
Punycode conversion
Both for web server configuration and certificate authority, name must be converted to Punycode (RFC 3492): https://www.punycoder.com/
No let's encrypt support
Let's encrypt doesn't support IDN. The main reason is they're afraid of malicious uses: attackers could register a domain with a Cyrillic character matching a real domains. As some people consider it's the responsibility of the CA to mitigate such risks, the feature has been several times postponed.
You can check the Let's encrypt roadmap here.
StartSSL
StartSSL supports IDN. We so use this CA.
StartSSL nasqueron.org domain is validated on Dereckson account. Assign them to a task for a certificate.
Ysul has a `csr` script.
Note this script isn't the best adapted to the new StartSSL workflow, as it wants as final input the unbundled certificate content to create the bundle. At writing time, StartSSL outputs directly in a textarea the certificate, now they offer archives with already bundled file.
We need to fix the script with the new actual URL of the intermediate cert, take the "others" version, so you'll get unbundled certificate.
