https://wiki.csclub.uwaterloo.ca/api.php?action=feedcontributions&feedformat=atom&user=A3thakraCSCWiki - User contributions [en]2026-04-08T11:47:04ZUser contributionsMediaWiki 1.44.0https://wiki.csclub.uwaterloo.ca/index.php?title=SSL&diff=4324SSL2020-01-28T06:56:23Z<p>A3thakra: /* letsencrypt */</p>
<hr />
<div>== GlobalSign ==<br />
<br />
The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.<br />
<br />
When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the [https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/certificate-authority/globalsign-signed-x5093-certificates/self-service-globalsign-ssl-certificates IST-CA self service system]. Please keep a copy of the key, CSR and (once issued) certificate in <tt>/home/sysadmin/certs</tt>. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for <tt>*.csclub.uwaterloo.ca</tt>.<br />
<br />
At the self-service portal, these options worked in 2013. If you need IST assistance, [mailto:ist-ca@uwaterloo.ca ist-ca@uwaterloo.ca] is the email address you should contact.<br />
Products: OrganizationSSL<br />
SSL Certificate Type: Wildcard SSL Certificate<br />
Validity Period: 1 year<br />
Are you switching from a Competitor? No, I am not switching<br />
Are you renewing this Certificate? Yes (paste current certificate)<br />
30-day bonus: Yes (why not?)<br />
Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN)<br />
Enter Certificate Signing Request (CSR): Yes (paste CSR)<br />
Contact Information:<br />
First Name: Computer Science Club<br />
Last Name: Systems Committee<br />
Telephone: +1 519 888 4567 x33870<br />
Email Address: syscom@csclub.uwaterloo.ca<br />
<br />
== Certificate Location ==<br />
<br />
Keep a copy of newly generated certificates in /home/sysadmin/certs on the NFS server (currently [[Machine_List#aspartame|aspartame]]).<br />
<br />
A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.<br />
<br />
* caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)<br />
* coffee:/etc/ssl/private/csclub.uwaterloo.ca (for PostgreSQL and MariaDB)<br />
* mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)<br />
* rt:/etc/ssl/private/csclub-wildcard.crt (for Apache)<br />
* potassium-benzoate:/etc/ssl/private/csclub-wildcard.crt (for nginx)<br />
* auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd)<br />
* auth2:/etc/ssl/private/csclub-wildcard.crt (for slapd)<br />
* logstash:/etc/ssl/private/csclub-wildcard.crt (for nginx)<br />
* mattermost:/etc/ssl/private/csclub-wildcard.crt (for nginx)<br />
* load-balancer-0(1|2):/etc/ssl/private/csclub.uwaterloo.ca (for haproxy)<br />
<br />
Some services (e.g. Dovecot, Postfix) prefer to have the certificate chain in one file. Concatenate the appropriate intermediate root to the end of the certificate and store this as csclub-wildcard-chain.crt.<br />
<br />
== letsencrypt ==<br />
<br />
We support letsencrypt for our virtual hosts with custom domains. We use the <tt>cerbot</tt> from debian repositories with a configuration file at <tt>/etc/letsencrypt/cli.ini</tt>, and a systemd timer to handle renewals.<br />
<br />
The setup for a new domain is:<br />
<br />
# Become <tt>certbot</tt> on caffine with <tt>sudo -u certbot bash</tt> or similar.<br />
# Run <tt>certbot certonly -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp</tt>. The logs-dir isn't important and is only needed for troubleshooting.<br />
# Set up the Apache site configuration using the example below. (apache config is in /etc/apache2) Note the permanent redirect to https.<br />
# Make sure to commit your changes when you're done.<br />
# Reloading apache config is <tt>sudo systemctl reload apache2</tt>.<br />
<br />
<VirtualHost *:80><br />
ServerName example.com<br />
ServerAlias *.example.com<br />
ServerAdmin example@csclub.uwaterloo.ca<br />
<br />
#DocumentRoot /users/example/www/<br />
Redirect permanent / https://example.com/<br />
<br />
ErrorLog /var/log/apache2/example-error.log<br />
CustomLog /var/log/apache2/example-access.log combined<br />
</VirtualHost><br />
<br />
<VirtualHost csclub:443><br />
SSLEngine on<br />
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem<br />
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem<br />
SSLStrictSNIVHostCheck on<br />
<br />
ServerName example.com<br />
ServerAlias *.example.com<br />
ServerAdmin example@csclub.uwaterloo.ca<br />
<br />
DocumentRoot /users/example/www<br />
<br />
ErrorLog /var/log/apache2/example-error.log<br />
CustomLog /var/log/apache2/example-access.log combined<br />
</VirtualHost></div>A3thakra