Permalink
Browse files

Added ssl guide for deployment service

  • Loading branch information...
1 parent 7feafde commit bc221b1ffe9a18f9221c24090f9ae8884d87d1cb @BDQ BDQ committed Feb 20, 2012
View
@@ -46,6 +46,9 @@ index:
- title: Application Processes
url: deployment_application_processes
text: Details the use of the Foreman gem to define and manage applications processes.
+ - title: Requesting and configuring SSL
+ url: requesting_and_configuring_ssl
+ text: How to generate a certificate request and private key, and install an SSL certificate.
- title: Configuration Tips
url: deployment_tips
text: General troubleshooting and configuration tips
@@ -0,0 +1,76 @@
+h2. Requesting And Configuring SSL
+
+This article will walk you through generating an SSL Certificate Request and Private Key, and installing the certificate once it's returned from your Certificate Authority.
+
+endprologue.
+
+h3. Generating a Certificate Request and Private Key
+
+If you already have an SSL certificate file and private key you can skip this step. In order to get an SSL certificate from a Certificate Authority (like GoDaddy or Verisign) you need to create a certificate request (csr file) and a private key (key file). Both of theses files can be automatically generated by running the command below.
+
+The CSR file contains some basic information on your domain name and company location, and this file is submitted to the Certificate Authority when purchasing your certificate.
+
+NOTE: The Key file contains the private key for this new SSL certificate and should be stored in a secure location, and not shared with anyone. It should not be sent to the certificate authority when requesting the cert.
+
+h3. Required Information
+
+Your Certificate Request will require the following information:
+
+*CN - Common Name:* The fully qualified domain name that clients will use to reach your server. To secure https://www.example.com, your common name must be www.example.com or *.example.com for a wildcard certificate.
+
+*O - Organization Name:* The exact legal name of your organization. Example: "SpreeCommerce, Inc." If you do not have a legal registered organization name, you should enter your own full name here.
+
+*OU - Department (optional):* Many people leave this field blank. This is the department within your organization which you want to appear in the certificate. It will be listed in the certificate's subject as Organizational Unit, or "ou." Example: Web Administration, Web Security, Marketing
+
+*L - Location / City:* The city where your organization is legally located.
+
+*ST- State or Province:* The state or province where your organization is legally located.
+
+*C - Country:* The county where your organization is legally located.
+
+*Key Size:* 2048 is considered the minimum value.
+
+
+h3. Creating the Certificate Request & Private Key
+
+You must have the OpenSSL library installed to execute this command, all Spree Hosting servers have this command available so it's best to run the command directly on your server.
+
+This example command below is for illustration purposes only, you must substitue your information in the relevant locations.
+
+<shell>
+openssl req -new -newkey rsa:2048 -nodes -out www_example_com.csr -keyout www_example_com.key -subj "/C=US/ST=MD/L=Chevy Chase/O=SpreeCommerce, Inc /OU= /CN=www.example.com"
+</shell>
+
+Be sure to change the -out and -keyout values to match your domain name, while preserving the correct extensions.
+
+Once the command is executed you will have two new files created within the current directory:
+
+*www_example_com.csr* - This is the Certificate Request, this must be submitted to the Certificate Authority when purchasing your certificate.
+
+*www_example_com.key* - This is your Private Key and must be kept securely until the certificate is delivered to you by the Certifcate Authority.
+
+h3. Installing the Certificate
+
+When you receive your certificate from the Certificate Authority it is generally called example.com.crt and maybe bundled with other Chain CRT files. If you received multiple CRT files from your Certificate Authority please refer to the installation instructions provided by them for more details on installation, generally you just need to create one new CRT file and combine the contents of all CRT files provided.
+
+Now that you have one single CRT file you are ready to install it on your server:
+
+Copy the CRT file onto the server and save it to following location:
+
+<shell>
+/data/config/ssl/spree.crt
+</shell>
+
+Move the private key (KEY file) to the following location:
+
+<shell>
+/data/config/ssl/spree.key
+</shell>
+
+Execute the following command to have Puppet automatically install and restart your webserver:
+
+<shell>
+FACTER_db_pass=YOUR_DB_PASSWORD sudo puppet agent --test
+</shell>
+
+It's important that the file names and locations match exactly those listed above otherwise Puppet will not be able to locate them.
@@ -54,7 +54,5 @@ Every server contains a single directory that houses the application and all ser
** *- Procfile* - Automatically generated process configuration files, for more see the Application Processes article. This file is sym-linked into place as part of the Capistrano deploy process.
** *- unicorn.rb* - Automatically generated unicorn configuration file, reference by the Procfile above when starting the application server processes.
-* */data/config/ssl* - You can upload your SSL certificate files into this directory and the will be automatically used by Puppet in your application Nginx configuration file. It's vital that you rename the files using the following convention:
-
-* */data/config/ssl/spree.key* - The private key for your SSL certificate, created when you generated the certificate request. /data/config/ssl/spree.crt - The SSL certificate given to you from your SSL provider.
+* */etc/ssl* - You can upload your SSL certificate files into this directory and the will be automatically used by Puppet in your application Nginx configuration file. See the "Requesting and Configuring SSL Guide":requesting_and_configuring_ssl.html for more details.

1 comment on commit bc221b1

Member

joneslee85 commented on bc221b1 Mar 3, 2012

nice +1

Please sign in to comment.