TP Delivery Service Generate SSL update, new letsencrypt generate and renew API endpoints

[mattjackson220]

What does this PR (Pull Request) do?

This PR integrates the use of Let's Encrypt (LE) as a free, automated certificate authority in order to generate signed certificates for delivery services. It updates Traffic Portal (TP) to include LE as an option when generating certificates and adds Traffic Ops (TO) endpoints in order to orchestrate the certificate generation. TO will call LE to get a token, then place that token in the TO database. Traffic Router (TR) has been updated to watch the new table in the TO database, and when an update is seen, place the token at the appropriate location (_acme-challenge.domain.com). LE will verify the token and provide the signed certificate to TO, which then saves the certificate and key into Traffic Vault.

It also sets up a cron job to automatically renew certificates as they near expiration, and send a summary email if desired.

• This PR fixes Let's Encrypt support #2159

This PR is related to PR #1906 and is a potential solution.

Which Traffic Control components are affected by this PR?

• Documentation
• Traffic Ops
• Traffic Portal
• Traffic Router

What is the best way to verify this PR?

Testing this requires a publicly accessible domain, and access to a working SMTP server! To test, set up cdn.conf to contain the following options:

"lets_encrypt" : {
	"send_expiration_email": true,
	"convert_self_signed": true,
	"renew_days_before_expiration": 100,
	"environment": "staging"
},
"smtp" : {
	"enabled" : true,
	"to_email" : "email to receive updates",
	"from_email" : "email to be shown as sender",
	"user" : "SMTP server username",
	"password" : "SMTP server password",
	"address" : "SMTP server location (localhost:25 for sendmail)"
}

Note: settting renew_days_before_expiration to 100 will allow the autorenew testing to renew LE certificates during testing since LE certs expire every 90 days. This is normally set to 30 as the default. Also, setting environment to production will generate valid, signed certificates if desired.

Then, update TO, TP, and TR in an environment that is accessible to Let's Encrypt in order for it to complete the domain validation. Set up or find a delivery service for HTTPS, DNS with HTTPS, and steering with HTTPS.
For each variation:

• Go to More -> Manage SSL Keys -> More -> Generate SSL Keys and click on Use Let's Encrypt and verify the Common Name is what you want. Click Generate Keys With Lets Encrypt and then Yes on the pop up.
• The call to LE has been made but will take a few minutes. Verify that a record has been added to /api/1.4/letsencrypt/dnsrecords and wait for updates in the Change Log.
• Once a success message has been received, the certificates should show up under the Manage SSL Keys page.
• Queue updates for the associated CDN in order to get the new certificates out to the caches.
• Once the servers have been updated, verify that the new certificates are used at the HTTPS endpoint for the delivery service.
• Repeat for other Delivery Service types

To verify the auto-renewal script is working, update /etc/cron.d/autorenew_certs to run more frequently (currently set at every sunday night) and replace { "base_url": "https://127.0.0.1" } with { "base_url": "https://127.0.0.1", "user": "your TO user", "pass": "your TO password" }

Wait until the cron job is run again and verify that the LE certs you generated in the first tests were renewed. Verify that an email summary was sent to the email configured in the cdn.conf file, including all certificates that were renewed or any that will expire within the specified time.

The following criteria are ALL met by this PR

• This PR includes tests OR I have explained why tests are unnecessary
• This PR includes documentation OR I have explained why documentation is unnecessary
• This PR includes an update to CHANGELOG.md OR such an update is not necessary
• This PR includes any and all required license headers
• This PR ensures that database migration sequence is correct OR this PR does not include a database migration
• This PR DOES NOT FIX A SERIOUS SECURITY VULNERABILITY

[asfgit]

Can one of the admins verify this patch?

[JBevillC]

I'm also working (still) on the x509 validation TO code/architecture of imported certificates. We have decided to shift to an architecture that requires the full cert chain in traffic vault so that certificates can be validated fully without having to rely on an external CA trust store and whether or not they are are the same on multiple TO hosts.

How are you storing the certificate in Traffic Vault once received? Can you possibly store and/or add the option to store the full cert chain in traffic vault? The format should be in reverse order: server-cert, intermediate-CA-N, intermediate-CA 2, intermediate-CA-1, CA-Root

Thoughts?.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3891/
Test FAILed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3947/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4032/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4050/
Test PASSed.

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4188/
Test PASSed.

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4203/
Test PASSed.

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4204/
Test PASSed.

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4371/

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4373/

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4395/

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4409/

[ocket8888]

Can you rebase this on the new SMTP configuration stuff that's in master?

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4447/

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4491/

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4492/

[ocket8888]

retest this please

[asf-ci]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4493/

[ocket8888]

Got some unit test failures

[ocket8888]

Looks good, LE support works, supporting scripts work, unit and integration tests show that existing functionality isn't broken (ran all Go unit tests, TO Go client/API integration tests and TR unit tests), and docs look complete, thorough and compile without warnings or errors.

[zrhoffman]

@mattjackson220 This should be letsencrypt/dnsrecords