Page MenuHomeDevCentral
Create Task
Maniphest T606

Create a let's encrypt certificate generator jail
Closed, WontfixPublic
Actions

Description

Problem

Currently, Let's encrypt want to listen port 80. Fine, but our ports 80 are busy with actual webservers.

Furthermore, we need certificates for Dwellers, but are not willing to do maintenance tasks directly on Dwellers when it could be avoided.

Solution offered

To build a service to get certificates and dispatch them to relevant web servers.

We could assign a dedicated IPv6 to a FreeBSD jail for this use.

Related Objects
Search...

Event Timeline

dereckson created this task.Nov 30 2015, 19:32
dereckson raised the priority of this task from to Normal.
dereckson updated the task description. (Show Details)
dereckson added projects: Servers, security.
dereckson added a subscriber: dereckson.
dereckson added a project: Operations sprint 0.Nov 30 2015, 19:58
dereckson added a parent task: T560: Install letsencrypt on Ysul.
dereckson added a parent task: T559: SSL certificate for docker.nasqueron.org.Dec 1 2015, 06:17
dereckson added a comment.Dec 1 2015, 06:23

This task has been identified as suitable for the December product backlog for infrastructure. It's included in our product backlog and will be discussed for inclusion to sprint backlog this E3 meeting.

dereckson moved this task from Product backlog to Working on on the Operations sprint 0 board.Jan 5 2016, 15:43
dereckson claimed this task.Jan 5 2016, 16:08

Hostname: setstyin.nasqueron.org
IP: 2001:470:1f12:9e1::3

dereckson mentioned this in P27 Words pos-tagged NPP not matching english words from The Algebraist.Jan 5 2016, 16:09
dereckson closed this task as Wontfix.Jan 5 2016, 17:39

Create the jail

$ ezjail-admin create letsencrypt 'lo1|127.0.1.1,gif0|2001:470:1f12:9e1::3'
$ ezjail-admin start letsencrypt

Configure the jail and install nginx, Let's encrypt

$ ezjail-admin console letsencrypt
$ cat > /etc/hosts
::1                     localhost localhost.nasqueron.org
127.0.0.1               localhost localhost.nasqueron.org
2001:470:1f12:9e1::3    setstyin.nasqueron.org
$ cat > /etc/resolv.conf
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
$ pkg install nginx py27-letsencrypt
$ cat >> /etc/rc.conf
nginx_enable="YES"
$ /usr/local/etc/rc.d/nginx start

DNS configuration

setstyin.nasqueron.org.	86400	IN	AAAA	2001:470:1f12:9e1::3

Test run

$ setenv DOMAINS "-d setstyin.nasqueron.org"
$ setenv DIR /var/letsencrypt-auto
$ mkdir -p $DIR
$ rehash
$ letsencrypt certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --agree-dev-preview $DOMAINS
[...]
 - The following 'urn:acme:error:unknownHost' errors were reported by
   the server:

   Domains: setstyin.nasqueron.org
   Error: The server could not resolve a domain name
[...]

IPv6 issue

This approach won't currently work pending upstream resolution:

Furthermore, the Let's encrypt server wants to contact the server where the domain is installed to get a confirmation.

But it's an interesting proof of concept and we could deploy it on nginx.

dereckson mentioned this in T560: Install letsencrypt on Ysul.Jan 5 2016, 18:28
dereckson added a comment.Jan 5 2016, 20:24

Deleted jail

$ ezjail-admin stop letsencrypt
Stopping jails: letsencrypt.
$ ezjail-admin delete letsencrypt
dereckson moved this task from Working on to Pending review on the Operations sprint 0 board.Feb 2 2016, 04:22
dereckson moved this task from Pending review to Done on the Operations sprint 0 board.
dereckson added a project: IPv6.Feb 17 2016, 02:56
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator