Tech:SSL certificates

SSL certificates and CSRs can be generated on puppet141 using a shell script (ssl-certificate) to simplify and standardize the process. This can be done only by sre and ssl-admins.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. We'll use the certbot client.


 * Generating a CSR:
 * Generating a CSR with extra domains:
 * Generating a LetsEncrypt SSL Certificate:
 * You can also do www. domains too by doing
 * Generating a Wildcard LetsEncrypt SSL Certificate:
 * You can also do domains too by doing
 * Renewing a LetsEncrypt SSL Certificate:
 * To renew a wildcard cert:

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

For LetsEncrypt certificates, the public and private will automatically be added and pushed to their respective git repositories, both for new certificates and renewals. If you need to completely regenerate a certificate use the renew option to avoid adding a duplicate entry to certs.yaml.

For CSR/Private key generations, these keys will be located at /root/ and /root/ .key. Private key will need to be added as  in /home/ssl-admins/ssl-keys, then committed and pushed.

For debugging purposes public keys are handled in /srv/ssl/ssl.

To remove an LE certificate, run the following: sudo /root/ssl-certificate -d --revoke Then answer yes to all questions. This will revoke the cert and remove the private key from our system. Then you have to manually remove the public key by deleting the actual key from the certificates directory, and removing the entry from certs.yaml.

For a non-LE cert both the public and private keys would have to be removed manually.

As of November 24 2018. ACMEv2 (notably, Wild-card certificate) via Let's Encrypted is supported by our backend LE tool.

Certificate Authority

 * Rule of thumb for acceptable CA on Miraheze is that it is trusted on latest version of Mozilla Firefox.
 * StartSSL and WoSign is dead. Such fate when you make browsers angry.