Tech:SSL certificates

SSL certificates and CSRs can be generated on mw1 using a shell script (acme-tiny) to simplify and standardize the process.

MediaWiki Admins

 * Generating a CSR:
 * Generating a LetsEncrypt SSL Certificate:
 * Renewing a LetsEncrypt SSL Certificate:

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

All generated files are stored in /root/acme-tiny/ssl/ in the form of $domain.{key|csr|crt}.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. While it's a nice project, their own Let's Encrypt client is terrible, and getting the actual certs is a bit tricky (compared to other CAs). I'll explain that here. We'll use the acme-tiny client, which is a few thousand times better than the official client.

These steps should be ran on mw1, and are only intended for operations members. I've used allthetropes.org and www.allthetropes.org as a real example here.

Get the cert
root@mw1:~/acme-tiny# openssl genrsa 2048 > allthetropes.key Generating RSA private key, 2048 bit long modulus ...............................................+++ ..........................................................................................................+++ e is 65537 (0x10001) root@mw1:~/acme-tiny# openssl req -new -sha256 -key allthetropes.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:allthetropes.org,DNS:www.allthetropes.org")) > allthetropes.csr root@mw1:~/acme-tiny# python acme_tiny.py --account-key account.key --csr allthetropes.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt
 * Step 1: generate a private key:
 * Step 2: generate a CSR for the domain:
 * Step 3: get the actual cert:
 * Step 4: Upload the cert (be sure to include the intermediate/root certs too!) and private key, and you can use it.

Puppet-users
Puppet-users are system administrators that have access to puppet1. This allows them to add the private-keys obtained from mw1, therefore Operations do not necessarily need to be involved in the process of adding certs.

Renewing the cert
Renewing the cert is, as long as you did not delete the files in /root/acme-tiny, very easy: python /path/to/acme_tiny.py --account-key account.key --csr allthetropes.org.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt Then, follow step 4 again, and done.