Use Let's Encrypt in perfsonar-toolkit-security package

[arlake228]

See https://letsencrypt.org.

Let's Encrypt is a free and automated CA. We should be able to install one of their supported agents on the toolkit that would retrieve and maintain a signed SSL certificate. This would get rid of the self-signed certificate on the toolkit in favor of one signed by a trusted CA.

[vvidic]

On Mon, Mar 12, 2018 at 08:42:51PM +0000, Andrew R. Lake wrote:

See https://letsencrypt.org.

Let's Encrypt is a free and automated CA. We should be able to install one of their supported agents on the toolkit that would retrieve and maintain a signed SSL certificate. This would get rid of the self-signed certificate on the toolkit in favor of one signed by a trusted CA.

Maybe make it an optional package/addon as it might not work for people that run toolkit on a private network?

-- Valentin Vidic Computer Systems Engineer - Expert Department of Computer Infrastructure and Services Croatian Academic and Research Network - CARNET Josipa Marohnica 5, HR-10000 Zagreb, Croatia tel: +385 1 6661 714, fax. +385 1 6661 635 gsm: +385 91 2480 919 www.CARNet.hr

[mfeit-internet2]

This should be a fairly easy optional drop-in. I'm going to be switching my personal server over to using Let's Encrypt shortly, so I should be able to provide some insight on automating the setup.

pScheduler isn't going to care whether the other end is properly signed or not since it's currently hardwired not to care. We'll have to think about how to handle making it operate with unsigned servers. Maybe a switch in the task that says whether or not it has to operate securely or something system-wide.

[arlake228]

Played with this a little bit today I'm not convinced we can fully automate this as there are steps that require (as they probably should) user interaction, in addition to cases like private networks and people already having updated their servers with signed certs.

We might be able to provide a shell script though that makes the process a bit easier for people since they will likely have consistent Apache setups on a perfSONAR host. Specifically thinking something like the following:

1. Include the package certbot from EPEL
2. Write a shell script that runs:
   1. Prints some text saying to follow the prompts and enter /var/www/html when prompted for webroot since as far as I can tell no command-line option to do this
   2. Run certbot certonly --webroot
   3. If #2 complete, update /etc/httpd/conf.d/ssl.conf to point at generated cert and private key (can be parsed from output or by digging through /etc/letsencrypt/live/ subdirs)
   4. Restart httpd
3. Provide docs that detail the above and point to let's encrypt docs for more info

[vvidic]

On Wed, Mar 14, 2018 at 06:49:44PM +0000, Andrew R. Lake wrote:

Played with this a little bit today I'm not convinced we can fully automate this as there are steps that require (as they probably should) user interaction, in addition to cases like private networks and people already having updated their servers with signed certs.

We might be able to provide a shell script though that makes the process a bit easier for people since they will likely have consistent Apache setups on a perfSONAR host. Specifically thinking something like the following:

1. Include the package certbot from EPEL
2. Write a shell script that runs:
   1. Prints some text saying to follow the prompts and enter /var/www/html when prompted for webroot since as far as I can tell no command-line option to do this
   2. Run certbot certonly --webroot
   3. If #2 complete, update /etc/httpd/conf.d/ssl.conf to point at generated cert and private key (can be parsed from output or by digging through /etc/letsencrypt/live/ subdirs)
   4. Restart httpd
3. Provide docs that detail the above and point to let's encrypt docs for more info

We might be able to automate it a bit more with something like:

certbot certonly --dry-run -n --webroot --webroot-path /var/www/html -d my.domain.com

But since these certs are only valid for 3 months, certbot also needs to run from cron to renew them every 2 months:

certbot -q renew

-- Valentin Vidic Computer Systems Engineer - Expert Department of Computer Infrastructure and Services Croatian Academic and Research Network - CARNET Josipa Marohnica 5, HR-10000 Zagreb, Croatia tel: +385 1 6661 714, fax. +385 1 6661 635 gsm: +385 91 2480 919 www.CARNet.hr

[arlake228]

Yes, meant to include the cron job, thanks. Not sure we want to try to fill-in the domain for people since that can get sticky as well depending on their setup, good find on the --webroot-path, don't see it listed in the help message but not shocked there is an option for it.

[ctomkow]

Hello @arlake228. I have a number of perfSONAR boxes and I am wondering if any work has been done on Let's Encrypt at all? I was about to start working through a way to automate the setup of Let's Encrypt on perfSONAR boxes, but then I stumbled across this thread.

[candlerb]

dehydrated is another way to do this, and it's just a shell script. By default it uses http-01 challenge (which would be fine for a personar node on a public IP address), and you can drop in hook scripts to do other things.

I think in the UI, there should be a web page to enable LetsEncrypt. It would register a Letsencrypt account and accept the terms, and let you enter your certificate name and any SANs. It could pre-fill a default of the system hostname FQDN, after checking that it resolves to one of the local interface addresses - so it could be just two clicks to activate.

Letsencrypt doesn't take too kindly to repeated failed attempts to validate names - you are rate limited to 5 failures per account per hostname per hour. That's why it's worth validating them first.

[laeti-tia]

There is potential code reuse from https://github.com/perfsonar/distribution/blob/2022-overhaul/distribution-point/setup to get this ready. But having a UI on top of it all would indeed be very useful.

[adamboutcher]

Hello @arlake228. I have a number of perfSONAR boxes and I am wondering if any work has been done on Let's Encrypt at all? I was about to start working through a way to automate the setup of Let's Encrypt on perfSONAR boxes, but then I stumbled across this thread.

I know this is late but We've solved some of these problems - https://www.gridpp.ac.uk/wiki/Https_with_PerfSonar_4.3.4