Task #11831
closed
Explore new letsencrypt clients to add wildcard certificates support
100%
Description
wildcard certificates would be very useful on the load balancers: they overcome the certificates number limit, and we do not have to move certificates around anymore.
Related issues
Updated by Andrea Dell'Amico about 7 years ago
Unfortunately our client of choice https://github.com/hlandau/acme does not support the ACME v2 APIs yet, so we have to try a different client.
Updated by Andrea Dell'Amico about 7 years ago
- Blocks Task #11825: Setup New gateway performfish.d4science.net added
Updated by Andrea Dell'Amico about 7 years ago
A good candidate: https://github.com/Neilpang/acme.sh
It also has support for the powerdns APIs.
Updated by Massimiliano Assante about 7 years ago
- Priority changed from Normal to High
raising the priority as we would need to deliver a new gateway by the end of June (https://performfish.d4science.org)
Updated by Andrea Dell'Amico about 7 years ago
It seems that we can exploit a feature that do not force us to move the d4science.org domain before starting the automation of the wildcard certificates emission: https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
Updated by Andrea Dell'Amico about 7 years ago
I'll try to use _acme-challenge.d4science.org as CNAME of _acme-challenge.d4science.net.
Updated by Andrea Dell'Amico about 7 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 20
I tested the procedure on preprod1.d4science.org. Our DNS configuration is working, and I've found the correct workflow to request a certificate using the DNS API and even using d4science.net as proxy to obtain a certificate for the d4science.org domain.
I was not able to get the certificate because we are currently over quota, I'll try again in the next days. When I succeed, I'll move the certificate into the infra production load balancers.
The installation has been done manually, I'll produce an ansible role later.
Updated by Massimiliano Assante about 7 years ago
Any news on this, we would need to go LIVE soon with https://performfish.d4science.org
Updated by Massimiliano Assante about 7 years ago
- Blocks deleted (Task #11825: Setup New gateway performfish.d4science.net)
Updated by Andrea Dell'Amico about 7 years ago
- Blocked by Task #12173: Suspend all the letsencrypt certificates renewals for 15 days added
Updated by Andrea Dell'Amico about 7 years ago
- % Done changed from 20 to 40
We have a wildcard certificate, at last
Updated by Andrea Dell'Amico about 7 years ago
- Blocks Task #12241: Setup New gateway open-science.it added
Updated by Andrea Dell'Amico almost 7 years ago
- % Done changed from 40 to 60
I have the scripting moslty done. It's ugly because all the parameters must be passed on the command line and some operations must be executed as root.
The last part to deal with is the cron job for the renewal.
Updated by Andrea Dell'Amico almost 7 years ago
- Status changed from In Progress to Closed
- % Done changed from 60 to 100
The playbook works correctly and I adjusted the haproxy setup so that it works correctly with any of the two letsencrypt clients.
Both the dev and pre infra gateways are now served by wildcard certificates that cover both d4science.org and d4science.net. In the following days I'm going to reconfigure all the other load balancers. There's a small problem with the production infra, I'm going to write about it separately as the question is not (only) technical.
Updated by Andrea Dell'Amico almost 7 years ago
All the load balancers are now using the wildcard certificates.
Important note for the subdomains: every subdomain, if not directly managed (d4science.org mainly), need a dns entry like
_acme-challenge.garr.d4science.org CNAME _acme-challenge.d4science.net
