Tech:SSL certificates

SSL certificates and CSRs can be generated on mwtask1 using a shell script (ssl-certificate) to simplify and standardize the process.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. We'll use the certbot client.


 * Generating a CSR:
 * Generating a CSR with extra domains:
 * Generating a LetsEncrypt SSL Certificate:
 * You can also do www. domains too by doing
 * Generating a Wildcard LetsEncrypt SSL Certificate:
 * You can also do domains too by doing
 * Renewing a LetsEncrypt SSL Certificate:
 * To renew a wildcard cert:

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

All generated files are stored in /etc/letsencrypt/live/$domain

As of November 24 2018. ACMEv2 (notably, Wild-card certificate) via Let's Encrypted is supported by our backend LE tool.

Puppet-users
Puppet-users are system administrators that have access to puppet3. This allows them to add the private-keys obtained from mwtask1, therefore Site Reliability Engineering do not necessarily need to be involved in the process of adding certs.

Adding private keys to Private Git

 * Step 1: Take the private key from mwtask1 (the output after you have generated it, or the actual file /etc/letsencrypt/live/domain/privkey.pem for Site Reliability Engineering)


 * Step 2: Access puppet3 and access /home/puppet-users/ssl-keys


 * Step 3: Create a new file called "domain.key" and paste the private key which you have obtained from mwtask1 (make sure there are no blank spaces at the bottom or the top)


 * Step 4: Add the file (git add .), commit it (git commit) and push (git push)

Certificate Authority

 * Rule of thumb for acceptable CA on Miraheze is that it is trusted on latest version of Mozilla Firefox.
 * StartSSL and WoSign is dead. Such fate when you make browsers angry.