Add notes for SSL certs generation and setup

1 files changed, 97 insertions, 0 deletions

diff --git a/README.mdwn b/README.mdwn
index 65a0a7ad..b597274d 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -795,3 +795,100 @@ necessary.
         ssh ubuntu@storyboard.baserock.org storyboard-db-manage load_projects projects.yaml
 
 3. Submit a patch for infrastructure.git with your changes, and submit to Gerrit.
+
+SSL certificates
+================
+
+The certificates used for our infrastructure are provided for free
+by Let's Encrypt. These certificates expire every 3 months. Here we
+will explain how to renew the certificates, and how to deploy them.
+
+Generation of certificates
+--------------------------
+
+> Note: This should be automated in the next upgrade. The instructions
+> sound like a lot of effort
+
+To generate the SSL certs, first you need to clone the following repository:
+
+    git clone https://github.com/lukas2511/letsencrypt.sh.git
+
+The version used the first time was `0.4.0` with sha `116386486b3749e4c5e1b4da35904f30f8b2749b`,
+(just in case future releases break these instructions)
+
+Now inside of the repo, create a `domains.txt` file with the information
+of the subdomains:
+
+    cd letsencrypt.sh
+    cat >domains.txt <<'EOF'
+    baserock.org
+    irclogs.baserock.org download.baserock.org openid.baserock.org gerrit.baserock.org paste.baserock.org
+    storyboard.baserock.org
+    git.baserock.org
+    spec.baserock.org docs.baserock.org
+    EOF
+
+Create a `dnsapi.config.txt` with the contents of `private/dnsapi.config.txt`
+decrypted. To show the contents of this file, run the following in a
+`infrastructure.git` repo checkout.
+
+    ansible-vault view private/dnsapi.config.txt
+
+
+Now, to generate the certs, run:
+
+    ./dehydrated -c
+
+
+In the `certs` folder you will have all the certificates generated. To construct the
+certificates that are present in `certs` and `private` you will have to:
+
+    cd certs
+    mkdir -p tmp/private tmp/certs
+
+    # Create some full certs including key for some services that need it this way
+    cat git.baserock.org/cert.csr git.baserock.org/cert.pem chain.pem git.baserock.org/privkey.pem > tmp/private/git-with-key.pem
+    cat irclogs.baserock.org/cert.csr irclogs.baserock.org/cert.pem irclogs.baserock.org/chain.pem irclogs.baserock.org/privkey.pem > tmp/private/frontend-with-key.pem
+
+    # Copy key files
+    cp git.baserock.org/privkey.pem tmp/private/git.pem
+    cp irclogs.baserock.org/privkey.pem tmp/private/frontend.pem
+    cp storyboard.baserock.org/privkey.pem tmp/private/storyboard.pem
+
+    # Create full certs without keys
+    cat git.baserock.org/cert.csr git.baserock.org/cert.pem chain.pem > tmp/certs/git.pem
+    cat irclogs.baserock.org/cert.csr irclogs.baserock.org/cert.pem irclogs.baserock.org/chain.pem > tmp/certs/frontend.pem
+    cat storyboard.baserock.org/cert.csr storyboard.baserock.org/cert.pem storyboard.baserock.org/chain.pem > tmp/certs/storyboard.pem
+
+Before replacing the current ones, make sure you **encrypt** the ones that contain
+keys (located in `private` folder):
+
+    ansible-vault encrypt tmp/private/*
+
+
+Deploy certificates
+-------------------
+
+
+For `git.baserock.org` just run:
+
+    ansible-playbook -i hosts baserock_trove/configure-trove.yml
+
+This script will copy the certificates to the Trove and run the scripts
+that will configure them.
+
+
+For the frontend, run:
+
+    ansible-playbook -i hosts baserock_frontend/instance-config.yml
+    ansible -i hosts -m service -a 'name=haproxy enabled=true state=restarted' --sudo frontend-haproxy
+
+Which will install the certificates and then restart the services needed.
+
+
+For StoryBoard, run:
+
+    ansible-playbook -i hosts baserock_storyboard/instance-storyboard-config.yml
+
+This script will trigger a full deployment. It will take a bit longer than the
+others, but will do the job.