diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2017-03-17 16:54:32 +0000 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2017-03-17 16:59:41 +0000 |
commit | 82f6338f83ec0a8d61d9d8d38b0e21ffc8ebfdda (patch) | |
tree | 64481c1da89d1e03bd4023e43751e730971744bd | |
parent | 9e886d8e7f227e460c639eb8b5ce2ed2ba5b0647 (diff) | |
download | infrastructure-82f6338f83ec0a8d61d9d8d38b0e21ffc8ebfdda.tar.gz |
Add notes for SSL certs generation and setup
-rw-r--r-- | README.mdwn | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/README.mdwn b/README.mdwn index 65a0a7ad..b597274d 100644 --- a/README.mdwn +++ b/README.mdwn @@ -795,3 +795,100 @@ necessary. ssh ubuntu@storyboard.baserock.org storyboard-db-manage load_projects projects.yaml 3. Submit a patch for infrastructure.git with your changes, and submit to Gerrit. + +SSL certificates +================ + +The certificates used for our infrastructure are provided for free +by Let's Encrypt. These certificates expire every 3 months. Here we +will explain how to renew the certificates, and how to deploy them. + +Generation of certificates +-------------------------- + +> Note: This should be automated in the next upgrade. The instructions +> sound like a lot of effort + +To generate the SSL certs, first you need to clone the following repository: + + git clone https://github.com/lukas2511/letsencrypt.sh.git + +The version used the first time was `0.4.0` with sha `116386486b3749e4c5e1b4da35904f30f8b2749b`, +(just in case future releases break these instructions) + +Now inside of the repo, create a `domains.txt` file with the information +of the subdomains: + + cd letsencrypt.sh + cat >domains.txt <<'EOF' + baserock.org + irclogs.baserock.org download.baserock.org openid.baserock.org gerrit.baserock.org paste.baserock.org + storyboard.baserock.org + git.baserock.org + spec.baserock.org docs.baserock.org + EOF + +Create a `dnsapi.config.txt` with the contents of `private/dnsapi.config.txt` +decrypted. To show the contents of this file, run the following in a +`infrastructure.git` repo checkout. + + ansible-vault view private/dnsapi.config.txt + + +Now, to generate the certs, run: + + ./dehydrated -c + + +In the `certs` folder you will have all the certificates generated. To construct the +certificates that are present in `certs` and `private` you will have to: + + cd certs + mkdir -p tmp/private tmp/certs + + # Create some full certs including key for some services that need it this way + cat git.baserock.org/cert.csr git.baserock.org/cert.pem chain.pem git.baserock.org/privkey.pem > tmp/private/git-with-key.pem + cat irclogs.baserock.org/cert.csr irclogs.baserock.org/cert.pem irclogs.baserock.org/chain.pem irclogs.baserock.org/privkey.pem > tmp/private/frontend-with-key.pem + + # Copy key files + cp git.baserock.org/privkey.pem tmp/private/git.pem + cp irclogs.baserock.org/privkey.pem tmp/private/frontend.pem + cp storyboard.baserock.org/privkey.pem tmp/private/storyboard.pem + + # Create full certs without keys + cat git.baserock.org/cert.csr git.baserock.org/cert.pem chain.pem > tmp/certs/git.pem + cat irclogs.baserock.org/cert.csr irclogs.baserock.org/cert.pem irclogs.baserock.org/chain.pem > tmp/certs/frontend.pem + cat storyboard.baserock.org/cert.csr storyboard.baserock.org/cert.pem storyboard.baserock.org/chain.pem > tmp/certs/storyboard.pem + +Before replacing the current ones, make sure you **encrypt** the ones that contain +keys (located in `private` folder): + + ansible-vault encrypt tmp/private/* + + +Deploy certificates +------------------- + + +For `git.baserock.org` just run: + + ansible-playbook -i hosts baserock_trove/configure-trove.yml + +This script will copy the certificates to the Trove and run the scripts +that will configure them. + + +For the frontend, run: + + ansible-playbook -i hosts baserock_frontend/instance-config.yml + ansible -i hosts -m service -a 'name=haproxy enabled=true state=restarted' --sudo frontend-haproxy + +Which will install the certificates and then restart the services needed. + + +For StoryBoard, run: + + ansible-playbook -i hosts baserock_storyboard/instance-storyboard-config.yml + +This script will trigger a full deployment. It will take a bit longer than the +others, but will do the job. |