Document letsencrypt cert installation

Question

Document letsencrypt cert installation

varac opened this issue 8 years ago · comments

We should document how to use Let's Encrypt certificates for LEAP and Pixelated.
Best place for this would be the LEAP Keys and Certificates doc.

Varac · Answer 1 · Fri Mar 18 2016 17:43:07 GMT+0800 (China Standard Time)

here's the documentation draft i started: https://pad.riseup.net/p/letsencrypt

Varac · Answer 2 · Tue Mar 29 2016 21:03:07 GMT+0800 (China Standard Time)

updated LEAPs docs: https://leap.se/en/docs/platform/guide/keys-and-certificates#lets-encrypt-certificate

ayoyoness · Answer 3 · Tue Mar 29 2016 22:40:18 GMT+0800 (China Standard Time)

please update staging's certificate to qa this
https://staging.pixelated-project.org/

Denis Costa · Answer 4 · Thu Mar 31 2016 01:47:18 GMT+0800 (China Standard Time)

@varac

- Certificate: `/etc/letsencrypt/live/DOMAIN/cert.pem` from the server to `files/cert/dev.pixelated-project.org.crt` in your provider config
- Private key: `/etc/letsencrypt/live/DOMAIN/privkey.pem` from the server to `files/cert/DOMAIN.key` in your provider config
- CA Chain cert: `/etc/letsencrypt/live/DOMAIN/fullchain.pem` `files/cert/commercial_ca.crt` in your provider config

Does explanation above this means something like this:

cd pixelated-platform-environments/pixelated-project.org/files/cert
scp user@unstable.pixelated-project.org:/etc/letsencrypt/live/unstable.pixelated-project.org .
mv cert.pem unstable.pixelated-project.org.crt
mv privkey.pem unstable.pixelated-project.org.key
mv fullchain.pem commercial_ca.crt

Because is there a file called "commercial_ca.crt in the path "files/cert/". I'm not sure if I can override the file or not.

Where the file "unstable.pixelated-project.org.csr" in "file/cert" come from? Should I replace it with other file?

❤️

Varac · Answer 5 · Mon Apr 04 2016 20:50:32 GMT+0800 (China Standard Time)

@deniscostadsc i updated the howto, please have a look if it is better now.

Where the file "unstable.pixelated-project.org.csr" in "file/cert" come from? Should I replace it with other file?

No, this is the cert signing request needed for a commercial cert, see https://leap.se/en/docs/platform/guide/keys-and-certificates#commercial-certificates
With let's encrypt, we don't need a csr file anymore (it could get removed).

Tulio Casagrande · Answer 6 · Mon Apr 11 2016 23:50:41 GMT+0800 (China Standard Time)

We tested the steps on pad and we automated the process on staging.
Everything worked fine. 🎉 🎉

The is the file we put the steps required to generate the certificates on staging: https://github.com/pixelated/thoughtworks-ci-config/blob/master/pixelated-platform/bin/rename-to-staging.sh

Tulio Casagrande · Answer 7 · Tue Apr 12 2016 03:54:22 GMT+0800 (China Standard Time)

Hey guys, we were trying to deploy to staging one more time and we reached the letsencrypt rate limit [1].

With that in mind, if we generate the certificates on every deploy, we are going to definitely reach the limit again. Given that, maybe we need to save the certificates to deploy them later. How can we do that? Maybe save them to thoughtworks-ci-config?

[1] - https://community.letsencrypt.org/t/quick-start-guide/1631/6

Varac · Answer 8 · Tue Apr 12 2016 19:15:26 GMT+0800 (China Standard Time)

good idea, lets check how protected the thoughtworks-ci-config repo is and if it's not publicly cloneable, lets use this one. Are you moving this back to development ?

Varac · Answer 9 · Tue Apr 12 2016 20:18:17 GMT+0800 (China Standard Time)

@deniscostadsc @tuliocasagrande while you're on it, nagios is complaining about unstable+dev certs expiring soon (see https://github.com/pixelated/project-issues/issues/256). Do you mind updating those as well ?

Tulio Casagrande · Answer 10 · Wed Apr 13 2016 03:04:07 GMT+0800 (China Standard Time)

@varac We are going to solve this problem on this issue: https://github.com/pixelated/project-issues/issues/258