quay:wiki

User Tools

Site Tools

Trace:
crypto:letsencrypt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
crypto:letsencrypt [2019-02-18 00:58] – wording gabrielcrypto:letsencrypt [2019-05-21 22:00] – note re: badphotography.ca gabriel
Line 3: Line 3:
 We're currently using Let's Encrypt to generate and manage TLS certificates for quay.net and several other domains. We're currently using Let's Encrypt to generate and manage TLS certificates for quay.net and several other domains.
  
-Now that Let's Encrypt supports wildcard certs, our cert has been modified accordingly.  Currently quay.net is hosted on Amazon's EC2 and uses the AWS Route 53 service for public DNS on the Internet.  Ideally we'd be using the [[https://github.com/certbot/certbot/tree/master/certbot-dns-route53|certbot-dns-route53]] plugin, however it is not available in the OS distribution of certbot in Debian 9 and installing and running it from source is a dependency nightmare.+Now that Let's Encrypt supports wildcard certs, our cert has been modified accordingly.  Currently quay.net is hosted on Amazon's EC2 and uses the AWS Route 53 service for public DNS on the Internet.  Ideally we'd be using the [[https://github.com/certbot/certbot/tree/master/certbot-dns-route53|certbot-dns-route53]] plugin, however it is not available in the OS distribution of certbot in Debian 9 and installing and running it from source is a dependency nightmare that isn't worth the effort for such a simple use case.
  
 Thus, we'll use the manual process for generating and managing our certificates.  Let's get to it! Thus, we'll use the manual process for generating and managing our certificates.  Let's get to it!
Line 24: Line 24:
  
 <code sh> <code sh>
-quay.net *.quay.net gabriel.to *.gabriel.to gabrielobrien.ca *.gabrielobrien.ca k538.ca *.k538.ca unx.is *.unx.is+quay.net *.quay.net gabriel.to *.gabriel.to gabrielobrien.ca *.gabrielobrien.ca k538.ca *.k538.ca unx.is *.unx.is badphoto.ca *.badphoto.ca badphotography.ca *.badphotography.ca
 </code> </code>
  
 If all goes well, you will now be prompted to update a DNS TXT record for each domain as well as a file on the local webserver to allow the ACME service to validate that you actually control the domain(s) in question. If all goes well, you will now be prompted to update a DNS TXT record for each domain as well as a file on the local webserver to allow the ACME service to validate that you actually control the domain(s) in question.
 +
 +On our server we use an nginx configuration file that can be enabled or disabled to turn on shared challenge files during certificate renewal.
 +
 +<code>
 +# USAGE: enable this configuration for Route 53 validation for Let's Encrypt
 +location /.well-known/acme-challenge {
 +       alias /path/to/shared/acme-challenges;
 +       autoindex off;
 +}
 +</code>
 +
 +> **Note:** locally we have to manage some custom config for [[https://badphotography.ca|badphotography.ca]].
  
 The instructions are provided at each step and are fairly simple.  The prompt will look something like this for the DNS records: The instructions are provided at each step and are fairly simple.  The prompt will look something like this for the DNS records:
Line 70: Line 82:
  
 It's a good idea to clean up these records now to avoid a potential backdoor that might allow somebody to take over your certificate and/or webserver.  You only need to do this every 90 days, and eventually the route53 package will be properly integrated in Debian 9. It's a good idea to clean up these records now to avoid a potential backdoor that might allow somebody to take over your certificate and/or webserver.  You only need to do this every 90 days, and eventually the route53 package will be properly integrated in Debian 9.
- 
-On our webserver this can be done by running the ''clean-acme-challenge.sh''. 
crypto/letsencrypt.txt · Last modified: 2019-10-16 13:03 by gabriel