Let’s Encrypt integration

[ivomarino]

We want to integrate Let’s Encrypt into AppFlow. Facts:

• SSL is terminated on HAProxy.
• certs live in /etc/certs (probably we can specify multiple locations crt /foo/ crt /bar/).

Idea, intercept /.well-known/acme-challenge via HAProxy ACL acl letsencrypt_check path_beg /.well-known/acme-challenge and redirect always to compute-01 on specific port where certbot-auto is running, share certs and requests via GlusterFS in a multinode environment.

[ivomarino]

Another interesting option could be https://github.com/srvrco/getssl/blob/master/README.md.

[ivomarino]

starts working in combination with HAProxy:

certbot-auto certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for appflow-1.home-unix.com
http-01 challenge for appflow-2.home-unix.com
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/appflow-1.home-unix.com/fullchain.pem. Your
   cert will expire on 2017-05-21. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot-auto again.
   To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

this should run in cron on master node, concatenate certs and store them on GlusterFS, from there they can be sourced via HAProxy, that's the idea.

When we specify multiple domains, like in this case:

conf_letsencrypt_rsa_key_size: 4096
conf_letsencrypt_email: root@home-unix.com
conf_letsencrypt_authenticator: standalone
conf_letsencrypt_preferred_challenge: http
conf_letsencrypt_http_01_port: 63443
conf_letsencrypt_domains: appflow-1.home-unix.com,appflow-2.home-unix.com
conf_letsencrypt_agree_tos: True
conf_letsencrypt_noninteractive: True

Let’s Encrypt will create a single cert which contains several different names using the Subject Alternative Name (SAN) mechanism, in this case appflow-1.home-unix.com and appflow-2.home-unix.com:

X509v3 Key Usage critical:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
2F:A7:13:74:83:08:A0:C0:DE:78:EC:F0:1B:1F:E0:16:05:14:63:9A
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name:
DNS:appflow-1.home-unix.com, DNS:appflow-2.home-unix.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

[ivomarino]

Usage examples:

# create new cert
ssh node "sudo cert-create.sh appflow-1.home-unix.com"

# verify expiration
ssh node "sudo cert-verify.sh"

# renew all certs which need it
ssh node "sudo cert-renew.sh"

# revoke
certbot-auto revoke --cert-path /etc/letsencrypt/live/appflow-1.home-unix.com-0001/cert.pem

[ivomarino]

For auto-renewal we can schedule a cron job which:

• Calls cert-renew.sh (locally or remotely via ssh).
• cert-renew.sh returns 0 if there aren't updates, 1 if there are.
• if return value is 1 then restart HAProxy on all involved webservers.

[ivomarino]

Works fine, can be closed.