Tech:SSL certificates

SSL certificates and CSRs can be generated on puppet111 using a shell script (ssl-certificate) to simplify and standardize the process. This can be done only by sre and ssl-admins.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. We'll use the certbot client.


 * Generating a CSR:
 * Generating a CSR with extra domains:
 * Generating a LetsEncrypt SSL Certificate:
 * You can also do www. domains too by doing
 * Generating a Wildcard LetsEncrypt SSL Certificate:
 * You can also do domains too by doing
 * Renewing a LetsEncrypt SSL Certificate:
 * To renew a wildcard cert:

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

All generated files are stored in /etc/letsencrypt/live/$domain

As of November 24 2018. ACMEv2 (notably, Wild-card certificate) via Let's Encrypted is supported by our backend LE tool.

SSL-admins
SSL-admins are system administrators that have access to puppet111. This allows them to generate and add SSL certificates, therefore Site Reliability Engineering do not necessarily need to be involved in the process of adding certs.

Adding private keys to Private Git
This is done automatically, should something go wrong, the private keys are added committed and pushed in /home/ssl-admins/ssl-keys, so that would be a good first place to look when debugging.

Certificate Authority

 * Rule of thumb for acceptable CA on Miraheze is that it is trusted on latest version of Mozilla Firefox.
 * StartSSL and WoSign is dead. Such fate when you make browsers angry.