New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TP Delivery Service Generate SSL update, new letsencrypt generate and renew API endpoints #3534
Conversation
Can one of the admins verify this patch? |
I'm also working (still) on the x509 validation TO code/architecture of imported certificates. We have decided to shift to an architecture that requires the full cert chain in traffic vault so that certificates can be validated fully without having to rely on an external CA trust store and whether or not they are are the same on multiple TO hosts. How are you storing the certificate in Traffic Vault once received? Can you possibly store and/or add the option to store the full cert chain in traffic vault? The format should be in reverse order: server-cert, intermediate-CA-N, intermediate-CA 2, intermediate-CA-1, CA-Root Thoughts?. |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
b20928d
to
ebb8649
Compare
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
ff65af4
to
c4d2290
Compare
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Can you rebase this on the new SMTP configuration stuff that's in master? |
8446758
to
d9ff72f
Compare
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
5f7ac6d
to
c25a638
Compare
Refer to this link for build results (access rights to CI server needed): |
retest this please |
Refer to this link for build results (access rights to CI server needed): |
…ving "Not Assigned" as auth type
799f6b9
to
822c0f4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got some unit test failures
traffic_ops/traffic_ops_golang/deliveryservice/autorenewcerts.go
Outdated
Show resolved
Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/autorenewcerts.go
Outdated
Show resolved
Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/autorenewcerts.go
Outdated
Show resolved
Hide resolved
traffic_ops/traffic_ops_golang/deliveryservice/autorenewcerts.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, LE support works, supporting scripts work, unit and integration tests show that existing functionality isn't broken (ran all Go unit tests, TO Go client/API integration tests and TR unit tests), and docs look complete, thorough and compile without warnings or errors.
.. code-block:: http | ||
:caption: Request Example | ||
|
||
GET /api/1.4/letsencrypt/dnsrecord?fqdn=_acme-challenge.demo1.example.com. HTTP/1.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mattjackson220 This should be letsencrypt/dnsrecords
What does this PR (Pull Request) do?
This PR integrates the use of Let's Encrypt (LE) as a free, automated certificate authority in order to generate signed certificates for delivery services. It updates Traffic Portal (TP) to include LE as an option when generating certificates and adds Traffic Ops (TO) endpoints in order to orchestrate the certificate generation. TO will call LE to get a token, then place that token in the TO database. Traffic Router (TR) has been updated to watch the new table in the TO database, and when an update is seen, place the token at the appropriate location (_acme-challenge.domain.com). LE will verify the token and provide the signed certificate to TO, which then saves the certificate and key into Traffic Vault.
It also sets up a cron job to automatically renew certificates as they near expiration, and send a summary email if desired.
This PR is related to PR #1906 and is a potential solution.
Which Traffic Control components are affected by this PR?
What is the best way to verify this PR?
Testing this requires a publicly accessible domain, and access to a working SMTP server! To test, set up cdn.conf to contain the following options:
Note: settting renew_days_before_expiration to 100 will allow the autorenew testing to renew LE certificates during testing since LE certs expire every 90 days. This is normally set to 30 as the default. Also, setting environment to production will generate valid, signed certificates if desired.
Then, update TO, TP, and TR in an environment that is accessible to Let's Encrypt in order for it to complete the domain validation. Set up or find a delivery service for HTTPS, DNS with HTTPS, and steering with HTTPS.
For each variation:
To verify the auto-renewal script is working, update /etc/cron.d/autorenew_certs to run more frequently (currently set at every sunday night) and replace
{ "base_url": "https://127.0.0.1" }
with{ "base_url": "https://127.0.0.1", "user": "your TO user", "pass": "your TO password" }
Wait until the cron job is run again and verify that the LE certs you generated in the first tests were renewed. Verify that an email summary was sent to the email configured in the cdn.conf file, including all certificates that were renewed or any that will expire within the specified time.
The following criteria are ALL met by this PR