Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#7 closed enhancement (fixed)


Reported by: mbooth Owned by: somebody
Priority: critical Milestone: Ansible Migration Leftovers
Component: infrastructure Keywords:


Our wildcard SSL cert expires on the 21st July 2018.

Let's use next weekend (21st July) to see if we can't automate provision of SSL certs.

In the worst case, we can just pay for another year, but y'know. Monies.

Change History (6)

comment:1 Changed 3 years ago by mbooth

Milestone: Ansible Migration Leftovers

comment:2 Changed 3 years ago by mbooth

Component: miscinfrastructure

comment:3 Changed 3 years ago by graphiclunarkid

Wildcard domains must be validated using the LetsEncrypt? DNS-01 challenge type. This means that we'd need to modify DNS TXT records every 90 days in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate. Unfortunately I don't think our domain registrar, Namecheap, exposes an API endpoint that allows us to automate setting TXT records on our domain.

I believe the switch to Ansible has caused us to stop supporting the thing for which we needed a wildcard certificate though. So we could stick with a certificate that lists all our established subdomains statically instead. Renewal can then be automated using a challenge over HTTP.

comment:4 Changed 3 years ago by caolan

After the hack day today we now have LetsEncrypt? certificates for all our services. It's using certbot for automatic renewal.

The dance to get certs onto the box and have apache configured and running for LetsEncrypt? webroot validation, while still working for development VMs is quite complicated and we should probably look into improving our ansible files at some point.

comment:5 Changed 3 years ago by mbooth

We plumped for regular certs, one per domain, instead of a single wildcard cert. We used the "host a token in the apache webroot" challenge method, which seems to work great for our simple use-cases.

When the static pages starts working again, we can just requisition new certs on the fly using this method too, which should also work great.

As always, the commit log reveals our super professional hacking, but I think this is the cumulative diff of the day's efforts:

We spent a lot of time debugging the invalid state we got the apache config in after a few initial abortive attempts to provision the certs (we even hit the letysencrypt auth request rate-limit at one point), but it looks like it's working now -- thanks Caolan for making time to try it again one last time when you got home.

Closing this for now -- thanks all!

Last edited 2 years ago by mbooth (previous) (diff)

comment:6 Changed 3 years ago by mbooth

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.