Tech:SSL certificates

SSL certificates and CSRs can be generated on mw1 using a shell script to simplify and standardise the process.

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

All generated files are stored in /root/acme-tiny/ssl/ in the form of $domain.{key|csr|crt}.

LetsEncrypt
Let's Encrypt is a Certificate Authority that issues free SSL certificates. While it's a nice project, their own Let's Encrypt client is terrible, and getting the actual certs is a bit tricky (compared to other CAs). I'll explain that here. We'll use the acme-tiny client, which is a few thousand times better than the official client.

These steps should be ran on mw1, and are only intended for operations members. I've used allthetropes.org and www.allthetropes.org as a real example here.

Get the cert
root@mw1:~/acme-tiny# openssl genrsa 2048 > allthetropes.key Generating RSA private key, 2048 bit long modulus ...............................................+++ ..........................................................................................................+++ e is 65537 (0x10001) root@mw1:~/acme-tiny# openssl req -new -sha256 -key allthetropes.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:allthetropes.org,DNS:www.allthetropes.org")) > allthetropes.csr root@mw1:~/acme-tiny# python acme_tiny.py --account-key account.key --csr allthetropes.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt
 * Step 1: generate a private key:
 * Step 2: generate a CSR for the domain:
 * Step 3: get the actual cert:
 * Step 4: Upload the cert (be sure to include the intermediate/root certs too!) and private key, and you can use it.

Renewing the cert
Renewing the cert is, as long as you did not delete the files in /root/acme-tiny, very easy: python /path/to/acme_tiny.py --account-key account.key --csr allthetropes.org.csr --acme-dir /var/www/challenges/ > allthetropes.org.crt Then, follow step 4 again, and done.