GitHub - probcomp/probcomp-acme: Our site ACME configuration for Let's Encrypt certificate issuance.

probcomp / probcomp-acme Public

Notifications You must be signed in to change notification settings
Fork 0
Star 0

Our site ACME configuration for Let's Encrypt certificate issuance.

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 13 Commits
README		README
acme_tiny.py		acme_tiny.py
certbot2asn1		certbot2asn1
gendomain		gendomain
renew		renew
renew.unpriv		renew.unpriv
setup		setup

Repository files navigation

ACME configuration for the probcomp-N servers, using acme_tiny
<https://github.com/diafygi/acme-tiny>.  This repository DOES NOT
contain any secrets.

* How to use it:

1. On probcomp-N.csail.mit.edu, create the directory:

        # cd /usr/local
        # mkdir -p probcomp
        # mkdir probcomp/acme

If that fails, stop here and figure out why -- someone has already
installed this on probcomp-N.  Talk to them.  Don't barge ahead and
change things you don't understand.  You can work it out.  Life is
very short.  There's no time for futzing and kludging, my friend.

2. If today's date is YYYYMMDD, extract the content of the repository
   into /usr/local/probcomp/acme/YYYYMMDD:

        # mkdir /usr/local/probcomp/acme/YYYYMMDD
        # cd /usr/local/probcomp/acme/YYYYMMDD
        # (git archive --format=tar /path/to/probcomp-acme HEAD) | tar xvf -

3. Create a symlink pointing to this date:

        # ln -s YYYYMMDD /usr/local/probcomp/acme/current

4. Execute

        # /usr/local/probcomp/acme/current/setup probcomp-N.csail.mit.edu

   to create the probcomp-acme user, the probcomp-acme group, and the
   directories /etc/probcomp-acme and /var/lib/probcomp-acme.

5. Acquire an account key at /etc/probcomp-acme/account.key.  If you
   already have one from certbot, you can turn it into the right form
   for /etc/probcomp-acme/account.key using the certbot2asn1 script as
   documented in comments at the top.  If you don't already have one,
   you can get one with certbot, or by writing code to talk this part
   of the ACME protocol.  Then make it readable by probcomp-acme:

	# chmod 640 /etc/probcomp-acme/account.key
	# chown root:probcomp-acme /etc/probcomp-acme/account.key

6. Configure the web server to serve /var/lib/probcomp-acme/challenges
   from http://probcomp-N.csail.mit.edu/.well-known/challenge.

7. Run

        # /usr/local/probcomp/acme/current/renew

   Check the syslog to make sure it claimed to have successfully
   renewed the test certificate.  Check to make sure
   /var/lib/probcomp-acme/certs/test-chain.pem points to a file that
   contains two certificates -- a newly issued fake one, and the true
   intermediate CA certificate for Let's Encrypt.

8. Configure the web server to serve HTTPS using the certificate chain
   at /etc/probcomp-acme/domain.crt and the private key at
   /etc/probcomp-acme/domain.key.

9. Add a cron job to execute

        /usr/local/probcomp/acme/current/renew --i-know-what-i-am-doing

   every sixty days, or every month, or the first Monday of every
   month, or whatever is necessary to get it done within the 90 day
   expiration period that works with your schedule.

* How it is organized:

/etc/probcomp-acme      static files readable only by web server and acme user
                          (all secrets live here)
  /account.key          ACME account private key
  /domain.key           private key for the domain name
  /domain.csr           certificate signing request for the domain name
  /domain.crt           symlink to current certificate chain

/var/lib/probcomp-acme  dynamic files written by acme user, read by web server
                          (no secrets live here)
  /certs                directory of all certificates issued
    /chain.pem          symlink to current certificate chain
  /challenges           directory of ACME challenges, to be served by
                          http://domain/.well-known/acme-challenge

* How to update it:

If necessary, commit a new version of acme_tiny.py from
<https://github.com/diafygi/acme-tiny> with the commit id clearly
cited in the commit message.

Repeat step (1) to install a new version of this repository.

If any data files or formats changed, figure out how to deal with them
and deal with them.  I cannot help you from there.

But if no data files or formats changed, then simply replace the
symlink at /usr/local/probcomp/acme/current to point at the new
date YYYYMMDE:

        # cd /usr/local/probcomp/acme
        # rm -f current.tmp
        # ln -s YYYYMMDE current.tmp
        # mv -T current.tmp current

(The `-T' option to mv makes it replace the symlink, rather than
creating a new symlink inside the directory that the symlink at
`current' currently points to.)