Tech:SSL certificates

SSL certificates and CSRs can be generated on mw1 using a shell script (acme-tiny) to simplify and standardize the process.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. While it's a nice project, their own Let's Encrypt client is terrible, and getting the actual certs is a bit tricky (compared to other CAs). I'll explain that here. We'll use the acme-tiny client, which is a few thousand times better than the official client.


 * Generating a CSR:
 * Generating a LetsEncrypt SSL Certificate:
 * Renewing a LetsEncrypt SSL Certificate:

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

All generated files are stored in /root/acme-tiny/ssl/ in the form of $domain.{key|csr|crt}.

As of March 2018. ACMEv2 (notably, Wild-card certificate) via Let's Encrypted is not supported by our backend LE tool, because acme-tiny (upstream tool developers of our LE implementation) decided not to implement DNS-01 validation, which is required by Let's Encrypt to have a wildcard.

Puppet-users
Puppet-users are system administrators that have access to puppet1. This allows them to add the private-keys obtained from mw1, therefore Operations do not necessarily need to be involved in the process of adding certs.

Adding private keys to Private Git

 * Step 1: Take the private key from mw1 (the output after you have generated it, or the actual file /root/acme-tiny/ssl/domain.key for Operations)


 * Step 2: Access puppet1 and access /home/puppet-users/ssl-keys


 * Step 3: Create a new file called "domain.key" and paste the private key which you have obtained from mw1 (make sure there are no blank spaces at the bottom or the top)


 * Step 4: Add the file (git add .), commit it (git commit) and push (git push)

Certificate Authority

 * Rule of thumb for acceptable CA on Miraheze is that it is trusted on latest version of Mozilla Firefox.
 * Symantec(-subsidiary certificates) issued before 2016-06-01 is outright rejection.
 * CAs previously owned by Symantec requires further investigation before they are accepted. See Web browsers distrusting Symantec certificates. Contact revi if such certificates are submitted.
 * StartSSL and WoSign is dead. Such fate when you make browsers angry.