Page MenuHomeDevCentral
Create Task
Maniphest T1505

Automate Let's Encrypt TLS certificates management for every server
Open, NormalPublic
Actions

Description

Handling T1500, it has been demonstrated clumsy and slow to manually supersede domains in a Let's Encrypt certificate.

D966 started to automate Let's Encrypt certificates for Eglide, could we generalize it to everything, or at least to the most automated services like the Docker PaaS?

The goal is to force a stable certificate path (or get the path into an usable variable) to be able to have coherent nginx (or other software) configuration.

Revisions and Commits

rOPS Nasqueron Operations
AbandonedD3404 Read services variable from map
D3406rOPS907fea4aae3d Don't deploy duplicate renewal service on Debian and RedHat
D3248rOPS1e9a54c10365 Deploy Certbot everywhere
D3247rOPS88a70074dfd5 Free certificates unit's init state for includes

Related Objects

Event Timeline

dereckson created this task.Jan 26 2019, 14:41
dereckson renamed this task from Automate Let's Encrypt TLS certificates management for Docker PaaS to Automate Let's Encrypt TLS certificates management for every server.Dec 14 2023, 17:01
dereckson claimed this task.
dereckson merged a task: T784: Set up let's encrypt certificates renewal.
dereckson added a subscriber: DorianWinty.
dereckson added a subscriber: Sandlayth.
dereckson added a revision: D3247: Free certificates unit's init state for includes.Dec 14 2023, 17:16
dereckson added a revision: D3248: Deploy Certbot everywhere.Dec 16 2023, 01:01
dereckson mentioned this in T919: Propagate Let's encrypt certificate to mail server.Dec 16 2023, 14:45
dereckson added a commit: rOPS88a70074dfd5: Free certificates unit's init state for includes.Dec 17 2023, 22:04
dereckson added a commit: rOPS1e9a54c10365: Deploy Certbot everywhere.Jul 25 2024, 20:41
dereckson triaged this task as Normal priority.Jul 25 2024, 20:42

rOPS1e9a54c10365 has worked like a charm on WindRiver to generate grafana.nasqueron.org through DNS.

DorianWinty added a comment.Jul 31 2024, 16:24

31/07/2024 at 12h the devcentral.nasqueron.org certificate expired

I have done a certificate renew of all certificate
but it seem not to work automaticaly on docker-002

dereckson added a revision: D3404: Read services variable from map.Aug 4 2024, 11:47
dereckson added a comment.EditedAug 4 2024, 13:52

Deployed D3248 to docker-002.

Next: we need to ensure all certificates used by nginx have instructions in their renewal configuration to reload nginx:

[renewalparams]
renew_hook = systemctl reload nginx

Documentation added to https://agora.nasqueron.org/Operations_grimoire/TLS_certificates

dereckson added a revision: D3406: Don't deploy duplicate renewal service on Debian and RedHat.Aug 4 2024, 13:59
dereckson moved this task from Backlog to Pending review on the Servers board.Aug 4 2024, 14:00
dereckson added a commit: rOPS907fea4aae3d: Don't deploy duplicate renewal service on Debian and RedHat.Aug 5 2024, 19:48
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator