SSL: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
m (→‎letsencrypt: close <tt> tag properly)
(→‎letsencrypt: add certonly to certbot command line)
Line 46: Line 46:


# Become <tt>certbot</tt> on caffine with <tt>sudo -u certbot bash</tt> or similar
# Become <tt>certbot</tt> on caffine with <tt>sudo -u certbot bash</tt> or similar
# Run <tt>certbot -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp</tt>. The logs-dir isn't important and is only needed for troubleshooting.
# Run <tt>certbot certonly -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp</tt>. The logs-dir isn't important and is only needed for troubleshooting.
# Set up the Apache site configuration using the example below. Note the permanent redirect to https.
# Set up the Apache site configuration using the example below. Note the permanent redirect to https.



Revision as of 14:48, 13 May 2019

GlobalSign

The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.

When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the IST-CA self service system. Please keep a copy of the key, CSR and (once issued) certificate in /home/sysadmin/certs. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for *.csclub.uwaterloo.ca.

At the self-service portal, these options worked in 2013. If you need IST assistance, ist-ca@uwaterloo.ca is the email address you should contact.

 Products: OrganizationSSL
 SSL Certificate Type: Wildcard SSL Certificate
 Validity Period: 1 year
 Are you switching from a Competitor? No, I am not switching
 Are you renewing this Certificate? Yes (paste current certificate)
 30-day bonus: Yes (why not?)
 Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN)
 Enter Certificate Signing Request (CSR): Yes (paste CSR)
 Contact Information:
   First Name: Computer Science Club
   Last Name: Systems Committee
   Telephone: +1 519 888 4567 x33870
   Email Address: syscom@csclub.uwaterloo.ca

Certificate Location

Keep a copy of newly generated certificates in /home/sysadmin/certs on the NFS server (currently aspartame).

A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.

  • caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
  • coffee:/etc/ssl/private/csclub.uwaterloo.ca (for PostgreSQL and MariaDB)
  • mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
  • rt:/etc/ssl/private/csclub-wildcard.crt (for Apache)
  • potassium-benzoate:/etc/ssl/private/csclub-wildcard.crt (for nginx)
  • auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd)
  • auth2:/etc/ssl/private/csclub-wildcard.crt (for slapd)
  • logstash:/etc/ssl/private/csclub-wildcard.crt (for nginx)
  • mattermost:/etc/ssl/private/csclub-wildcard.crt (for nginx)
  • load-balancer-0(1|2):/etc/ssl/private/csclub.uwaterloo.ca (for haproxy)

Some services (e.g. Dovecot, Postfix) prefer to have the certificate chain in one file. Concatenate the appropriate intermediate root to the end of the certificate and store this as csclub-wildcard-chain.crt.

letsencrypt

We support letsencrypt for our virtual hosts with custom domains. We use the cerbot from debian repositories with a configuration file at /etc/letsencrypt/cli.ini, and a systemd timer to handle renewals.

The setup for a new domain is:

  1. Become certbot on caffine with sudo -u certbot bash or similar
  2. Run certbot certonly -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp. The logs-dir isn't important and is only needed for troubleshooting.
  3. Set up the Apache site configuration using the example below. Note the permanent redirect to https.
<VirtualHost *:80>
    ServerName example.com
    ServerAlias *.example.com
    ServerAdmin example@csclub.uwaterloo.ca

    #DocumentRoot /users/example/www/
    Redirect permanent / https://example.com

    ErrorLog /var/log/apache2/example-error.log
    CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

<VirtualHost csclub:443>
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLStrictSNIVHostCheck on

    ServerName example.com
    ServerAlias *.example.com
    ServerAdmin example@csclub.uwaterloo.ca

    DocumentRoot /users/example/www

    ErrorLog /var/log/apache2/example-error.log
    CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>