search

ipfs / infra

Tools and systems for the IPFS community
MIT License
133 stars 41 forks source link

How to update TLS certificates #366

Closed victorb closed 6 years ago

victorb commented 6 years ago

Reminder to self for when this needs to be done again:

1) get the new certs:
- change the CNAME for these domains from gateway-int.ipfs.io to earth.i.ipfs.io (which is still a functioning gateway)
- wait 2 minutes
- ssh earth
- edit Caddyfile.ssl
- `docker stop nginx ; ./caddy -conf Caddyfile.ssl ; docker start nginx` (it's finished when it prints the http and https urls, ctrl+c then and nginx takes over again)
- change CNAME back to gateway-int.ipfs.io
2) install the certs
- secrets.sh -d to make sure your local secrets are up-to-date
- scp the .crt and .key from earth to secrets/ 
- Example command: `scp 'root@earth.i.ipfs.io:/root/.caddy/acme/acme-v01.api.letsencrypt.org/sites/wikipedia-on-ipfs.org/*.{crt,key}' secrets/`
- deploy to scrappy and chappy (it should print that the certs changed)
- Example command: `./provsn build chappy && ./provsn upload chappy && ./provsn install chappy`
- secrets.sh -e and commit the new .crt and .key files in secrets_secure/
- make and merge pull request to update `secrets_secure/` git submodule to the latest ref
mkg20001 commented 6 years ago

@VictorBjelkholm Wouldn't it be possible to use acme.sh and a dns challenge instead? https://github.com/Neilpang/acme.sh/tree/master/dnsapi#25-use-dnsimple-api

victorb commented 6 years ago

Yeah. We currently have two different infrastructures running, the one available here and one that is about to get open sourced, but we're not quite there. For the future, we definitely want something that's automatic to renew the certificates, probably nginx + acme-nginx or something like that. But for now, I think time is spent more wisely just going through the manual steps...

eefahy commented 6 years ago

@VictorBjelkholm can this be closed now with your recent update to the README?

mkg20001 commented 6 years ago

@VictorBjelkholm I've written an acme.sh wrapper that might make it easier to use acme.sh for that purpose: https://github.com/mkg20001/mkg-infra/blob/master/ssl/tool.sh This tool would allow completly automated renewals with literally just one command: ./tool.sh renew Only changes required to the script to be useable for IPFS would be replacing dns_cf with dns_dnsimple and editing/removing the genconf subcommand. About security: If account.conf is added to .gitignore this won't leak any dns tokens into the repo, only the account keys for letsencrypt, but they can be added to .gitignore, too, so only the certs land in the repo. (Edit: Of course this is just a suggestion, feel free to decline)

victorb commented 6 years ago

Closing this one as it's not applicable anymore.