Page MenuHomeDevCentral

Deploy a Let's encrypt certificate to the Mumble server
Open, NormalPublic

Description

Switch from a StartCom certificate (expiring 2016-06-10) to a Let's encrypt certificate.

Provide a way to deploy this certificate to the Mumble server jail.

Event Timeline

dereckson created this task.Jun 4 2016, 02:11
dereckson moved this task from Backlog to Configuration requests on the Mumble board.
dereckson added a comment.EditedJun 4 2016, 14:42

Done manually.

Ysul
$ cd /usr/local/jails/mumble.nasqueron.org/usr/local/etc/ssl/nasqueron.org
$ cp /usr/local/etc/letsencrypt/archive/mumble.nasqueron.org/fullchain1.pem mumble.crt
$ cp -p /usr/local/etc/letsencrypt/archive/mumble.nasqueron.org/privkey1.pem mumble.ey
$ jexec 9 tcsh
mumble.nasqueron.org jail
$ /usr/local/etc/rc.d/murmur restart

$ tail /var/log/murmur.log
<W>2016-06-04 14:35:30.064 Shutting down
<W>2016-06-04 14:35:31.666 MurmurIce: Shutdown complete
<W>2016-06-04 14:35:34.827 Initializing settings from /usr/local/etc/murmur.ini (basepath /usr/local/etc)
<W>2016-06-04 14:35:34.828 Binding to address 212.83.187.132
<W>2016-06-04 14:35:34.828 Binding to address 2001:470:1F13:9E1:0:C0FF:EE:1
<C>2016-06-04 14:35:34.844 Adding 1 CA certificates from certificate file.
<W>2016-06-04 14:35:34.845 Meta: TLS cipher preference is "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA:AES128-SHA"
<W>2016-06-04 14:35:34.845 OpenSSL: OpenSSL 1.0.1e-freebsd 11 Feb 2013
<W>2016-06-04 14:35:35.507 MurmurIce: Endpoint "tcp -h 212.83.187.132 -p 6502 -t 60000" running
<W>2016-06-04 14:35:35.508 MurmurIce: Endpoint "tcp -h "2001:470:1f13:9e1:0:c0ff:ee:1" -p 6502 -t 60000" running
<W>2016-06-04 14:35:35.508 Murmur 1.2.10 (Compiled Feb 15 2016 06:18:32) running on X11: FreeBSD 10.1-RELEASE-p26: Booting servers
<W>2016-06-04 14:35:36.352 1 => Server listening on 212.83.187.132:64738
<W>2016-06-04 14:35:36.356 1 => Server listening on [2001:470:1f13:9e1::c0ff:ee:1]:64738
<W>2016-06-04 14:35:36.360 1 => Server: Failed to set TOS for UDP Socket
<W>2016-06-04 14:35:39.492 1 => <1:(-1)> New connection: [2001:41d0:2:8d8c:216:3eff:fed3:976d]:52358
<W>2016-06-04 14:35:39.492 Connection: Failed to set TOS for TCP Socket
<W>2016-06-04 14:35:39.675 1 => <1:(-1)> Client version 1.2.7 (Linux: mumble-ruby 1.1.2)
<W>2016-06-04 14:35:39.930 1 => Starting voice thread
<W>2016-06-04 14:35:39.934 1 => CELT codec switch ffffffff8000000b 0 (prefer ffffffff8000000b) (Opus 1)
<W>2016-06-04 14:35:39.951 1 => <1:Wolfplex(30)> Authenticated
<W>2016-06-04 14:38:19.510 1 => <2:(-1)> New connection: 52.201.18.254:55622
<W>2016-06-04 14:38:19.706 1 => Registration: No DNS records found: New registration successful
<W>2016-06-04 14:38:19.710 1 => <2:(-1)> Connection closed: The TLS/SSL connection has been closed [1]
dereckson lowered the priority of this task from High to Normal.Jun 4 2016, 14:43

We need a script to automate the process.

We need a script to automate the process.

Done, but now we need to configure Let's encrypt to call this script when the certificate is renewed.

1#!/bin/sh
2
3# -------------------------------------------------------------
4# Deploy Mumble certificate on Murmur
5# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6# Project: Nasqueron
7# Created: 2016-11-03
8# License: Trivial work, not eligible to copyright
9# -------------------------------------------------------------
10
11if [ -z "$JAIL_HOSTNAME" ]; then
12 JAIL_HOSTNAME=mumble.nasqueron.org
13fi
14
15if [ -z "$CERT_DIR" ]; then
16 CERT_DIR=/usr/local/etc/letsencrypt/live/$JAIL_HOSTNAME
17fi
18
19if [ -z "$JAIL_DIR" ]; then
20 JAIL_DIR=/usr/local/jails/$JAIL_HOSTNAME
21fi
22
23if [ -z "$JAIL_ID" ]; then
24 JAIL_ID=`jls | grep $JAIL_HOSTNAME | awk '{print $1}'`
25fi
26
27cp $CERT_DIR/fullchain.pem $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.crt
28cp $CERT_DIR/privkey.pem $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
29
30# murmur has uid 338
31chown 338:0 $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
32chmod 400 $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
33
34jexec $JAIL_ID service murmur restart

dereckson added a comment.EditedNov 3 2016, 02:52

Currently, configuration file contains the following instructions:

/usr/local/etc/letsencrypt/renewal/mumble.nasqueron.org.conf
…
# Options used in the renewal process
[renewalparams]
account = …
authenticator = webroot
installer = None
[[webroot_map]]
mumble.nasqueron.org = /var/letsencrypt-auto

We probably should create an installer. https://certbot.eff.org/docs/contributing.html#installer

We can then ship it as a Python package: https://github.com/certbot/certbot/tree/master/examples/plugins

Here how to call an external process:

certbot/certbot-nginx/certbot_nginx/configurator.py

    def config_test(self):  # pylint: disable=no-self-use
        """Check the configuration of Nginx for errors.
        :raises .errors.MisconfigurationError: If config_test fails
        """
        try:
            util.run_script([self.conf('ctl'), "-c", self.nginx_conf, "-t"])
        except errors.SubprocessError as err:
            raise errors.MisconfigurationError(str(err))
dereckson moved this task from In progress to Backlog on the User-Dereckson board.Nov 6 2016, 19:02
dereckson updated the task description. (Show Details)
dereckson removed dereckson as the assignee of this task.
dereckson added a project: easy.

Current status

Commit c356aa59ba95 prepared a script to run when the certificate is updated, comment T853#12213 has cleared the path for a way to run this script directly from the Let's encrypt certbot client.

Not currently working on this, but I tag this as easy as the issue has correctly been analyzed, and will provide assistance if someone wants to do this.

Sandlayth claimed this task.Nov 24 2016, 18:00
Sandlayth removed Sandlayth as the assignee of this task.Sep 9 2017, 16:23
dereckson moved this task from Backlog to Ops on the easy board.Oct 15 2017, 12:02