Tech:SSL certificates

SSL certificates and CSRs can be generated on mw1 using a shell script (acme-tiny) to simplify and standardize the process.

MediaWiki Admins

 * Generating a CSR:
 * Generating a LetsEncrypt SSL Certificate:
 * Renewing a LetsEncrypt SSL Certificate:

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

All generated files are stored in /root/acme-tiny/ssl/ in the form of $domain.{key|csr|crt}.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. While it's a nice project, their own Let's Encrypt client is terrible, and getting the actual certs is a bit tricky (compared to other CAs). I'll explain that here. We'll use the acme-tiny client, which is a few thousand times better than the official client.

These steps should be ran on mw1, and are only intended for operations members, though they can also use the "mw-admins" method. allthetropes.org and www.allthetropes.org are used as real examples here.

Get the cert
root@mw1:~/acme-tiny# openssl genrsa 2048 > allthetropes.key Generating RSA private key, 2048 bit long modulus ...............................................+++ ..........................................................................................................+++ e is 65537 (0x10001) root@mw1:~/acme-tiny# openssl req -new -sha256 -key allthetropes.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:allthetropes.org,DNS:www.allthetropes.org")) > allthetropes.csr root@mw1:~/acme-tiny# python acme_tiny.py --account-key account.key --csr allthetropes.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt
 * Step 1: generate a private key:
 * Step 2: generate a CSR for the domain:
 * Step 3: get the actual cert:
 * Step 4: Upload the cert (be sure to include the intermediate/root certs too!) and private key, and you can use it.

Renewing the cert
Renewing the cert is, as long as you did not delete the files in /root/acme-tiny, very easy: python /path/to/acme_tiny.py --account-key account.key --csr allthetropes.org.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt Then, follow step 4 again, and done.

Puppet-users
Puppet-users are system administrators that have access to puppet1. This allows them to add the private-keys obtained from mw1, therefore Operations do not necessarily need to be involved in the process of adding certs.