diff options
author | Pedro Alvarez Piedehierro <palvarez89@gmail.com> | 2017-05-20 13:49:58 +0100 |
---|---|---|
committer | Pedro Alvarez Piedehierro <palvarez89@gmail.com> | 2017-05-20 13:49:58 +0100 |
commit | fb589dbd3b98e73e880377624ffe7b594db9c5c4 (patch) | |
tree | 667681ef6c81cb8b6623fb6a6dcba364f5ba5cfa | |
parent | a659c0dfbd7300b735f6d356a84ccef409e13121 (diff) | |
download | infrastructure-fb589dbd3b98e73e880377624ffe7b594db9c5c4.tar.gz |
Fixes for SSL keys generation/deployment
-rw-r--r-- | README.mdwn | 20 | ||||
-rw-r--r-- | baserock_gerrit/instance-ca-certificate-config.yml | 1 |
2 files changed, 19 insertions, 2 deletions
diff --git a/README.mdwn b/README.mdwn index 7285511d..d4ae09b6 100644 --- a/README.mdwn +++ b/README.mdwn @@ -809,9 +809,10 @@ Generation of certificates > Note: This should be automated in the next upgrade. The instructions > sound like a lot of effort -To generate the SSL certs, first you need to clone the following repository: +To generate the SSL certs, first you need to clone the following repositories: git clone https://github.com/lukas2511/letsencrypt.sh.git + git clone https://github.com/mythic-beasts/letsencrypt-mythic-dns01.git The version used the first time was `0.4.0` with sha `116386486b3749e4c5e1b4da35904f30f8b2749b`, (just in case future releases break these instructions) @@ -827,6 +828,14 @@ of the subdomains: git.baserock.org EOF +And the `config` file needed: + + cat >config <<'EOF' + CONTACT_EMAIL="admin@baserock.org" + HOOK="../letsencrypt-mythic-dns01/letsencrypt-mythic-dns01.sh" + CHALLENGETYPE="dns-01" + EOF + Create a `dnsapi.config.txt` with the contents of `private/dnsapi.config.txt` decrypted. To show the contents of this file, run the following in a `infrastructure.git` repo checkout. @@ -838,6 +847,8 @@ Now, to generate the certs, run: ./dehydrated -c +> If this is the first time, you will get asked to run +> `./dehydrated --register --accept-terms` In the `certs` folder you will have all the certificates generated. To construct the certificates that are present in `certs` and `private` you will have to: @@ -846,7 +857,7 @@ certificates that are present in `certs` and `private` you will have to: mkdir -p tmp/private tmp/certs # Create some full certs including key for some services that need it this way - cat git.baserock.org/cert.csr git.baserock.org/cert.pem chain.pem git.baserock.org/privkey.pem > tmp/private/git-with-key.pem + cat git.baserock.org/cert.csr git.baserock.org/cert.pem git.baserock.org/chain.pem git.baserock.org/privkey.pem > tmp/private/git-with-key.pem cat irclogs.baserock.org/cert.csr irclogs.baserock.org/cert.pem irclogs.baserock.org/chain.pem irclogs.baserock.org/privkey.pem > tmp/private/frontend-with-key.pem # Copy key files @@ -876,6 +887,11 @@ keys (located in `private` folder): ansible-vault encrypt tmp/private/* +And copy them to the repo: + + cp tmp/certs/* ../../certs/ + cp tmp/private/* ../../private/ + Deploy certificates ------------------- diff --git a/baserock_gerrit/instance-ca-certificate-config.yml b/baserock_gerrit/instance-ca-certificate-config.yml index afc08fa3..60ab9e8f 100644 --- a/baserock_gerrit/instance-ca-certificate-config.yml +++ b/baserock_gerrit/instance-ca-certificate-config.yml @@ -22,6 +22,7 @@ - name: install SSL certificate into Java certificate keystore java_cert: + cert_alias: baserock-frontent-cert cert_path: /home/gerrit/frontend.pem keystore_path: "{{ JRE_DIR }}/jre/lib/security/cacerts" executable: "{{ JRE_DIR }}/jre/bin/keytool" |