Task #3164
closed
Investigate the procedures needed to obtain valid X.509 TLS certificates from letsencrypt
100%
Description
Letsencrypt, https://letsencrypt.org is an initiative that has the goal to guarantee free (and valid, where valid means that the browsers know them) SSL certificates for everyone.
The letsencrytp tools permit to automate the certificate requests and delivery, and their renewal (they need to be renewed often, because the validity is set to 90 days)
Related issues
Updated by Andrea Dell'Amico about 9 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 40
We have a preliminary playbook that installs the tools and requests a certificate (with the machine hostname, if something different isn't specified).
Only the manual mode is supported right now.
Updated by Andrea Dell'Amico about 9 years ago
- % Done changed from 40 to 80
We now have a script to request/renew the certificate, and a cron job that starts the renewal procedure if the certificate is going to expire in 7 days.
The last bits are specific scripts with the action to perform after a renewal (service restart for example. haproxy needs the certificate in one single file, so the script needs to do that too).
Updated by Andrea Dell'Amico about 9 years ago
- Status changed from In Progress to Feedback
- % Done changed from 80 to 100
Updated by Andrea Dell'Amico about 9 years ago
- Related to Task #3257: Create a letsencrypt callback for each service that will serve letsencrypt certificates added
Updated by Andrea Dell'Amico about 9 years ago
- Status changed from Feedback to In Progress
There are less intrusive clients, that possibly do not need to run as root. I'm going to try this one: https://github.com/hlandau/acme
Updated by Andrea Dell'Amico about 9 years ago
- % Done changed from 100 to 70
I successfully tested a manual installation on redmine-d.d4science.org. Now trying via provisioning on ldap-liferay-d.d4science.org to try the listener mode, where the command directly listens on the http port.
Updated by Andrea Dell'Amico about 9 years ago
And it works. So we can convert to ssl with valid certificates almost all our services.
Updated by Andrea Dell'Amico about 9 years ago
- Status changed from In Progress to Closed
- % Done changed from 70 to 100
Closing this one. letsencrypt is a viable solution, the related task is tracking the progress on the services configurations.
Updated by Andrea Dell'Amico about 9 years ago
I also put in place some ansible tasks to create a self signed certificate before the first execution of a letsencrypt request. So that the services can be directly installed with ssl enabled.
