Tech:SSL certificates

From Miraheze Meta, Miraheze's central coordination wiki

SSL certificates and CSRs can be generated on puppet181 using a shell script (ssl-certificate) to simplify and standardize the process. This can be done only by sre and ssl-admins.

LetsEncrypt[edit | edit source]

Let's Encrypt is a Certificate Authority that issues free SSL certificates. We'll use the certbot client.

  • Generating a CSR: /root/ssl-certificate -d <domain> -c
  • Generating a CSR with extra domains: /root/ssl-certificate -d <domain> -c -s <extra_domain>
  • Generating a LetsEncrypt SSL Certificate: /root/ssl-certificate -d <domain> -g -p -o
    • You can also do www. domains too by doing /root/ssl-certificate -d <domain> -s www.<domain> -g -p -o
  • Generating a Wildcard LetsEncrypt SSL Certificate: /root/ssl-certificate -d *.<domain> -g -w
    • You can also do <domain> domains too by doing /root/ssl-certificate -d <domain> -s *.<domain> -g -p -o -w
  • Renewing a LetsEncrypt SSL Certificate: /root/ssl-certificate -d <domain> -r -p -o
    • To renew a wildcard cert: /root/ssl-certificate -d <domain> -r -w -p -o

The domain is the fully qualified domain name that will be used as the common name in the certificate and will be the issued domain. The -g option generates a LetsEncrypt SSL certificate for the domain, and the -r option renews (regenerates) a LetsEncrypt certificate if the private key exists at the correct location.

For LetsEncrypt certificates, the public and private components are automatically added and pushed to their respective git repositories, both for new certificates and renewals. If you need to completely regenerate a certificate, use the renew option to avoid adding a duplicate entry to certs.yaml.

For CSR/Private key generations, these keys will be located at /root/<domain.csr> and /root/<domain>.key. Private key will need to be added as <domain.key> in /home/ssl-admins/ssl-keys, then committed and pushed.

For debugging purposes, public keys are handled in /srv/ssl/ssl.

To remove an LE certificate, run the following:

 sudo /root/ssl-certificate -d <domain> --revoke

Then answer yes to all the questions. This will revoke the cert and remove the private key from our system. Then you have to manually remove the public key by deleting the actual key from the certificate's directory, and removing the entry from certs.yaml.

For a non-LE cert, both the public and private keys would have to be removed manually.

As of November 24 2018. ACMEv2 (notably, Wild-card certificate) via Let's Encrypt is supported by our backend LE tool.

Certificate Authority[edit | edit source]

  • Rule of thumb for acceptable CA on Miraheze is that it is trusted on the latest version of Mozilla Firefox.
  • StartSSL and WoSign are dead. Such is the fate when you make browsers angry.

See also[edit | edit source]

Custom domains