Page MenuHomeDevCentral
Create Task
Maniphest T853

Deploy a Let's encrypt certificate to the Mumble server
Open, NormalPublic
Actions

Description

Switch from a StartCom certificate (expiring 2016-06-10) to a Let's encrypt certificate.

Provide a way to deploy this certificate to the Mumble server jail.

Revisions and Commits

rOPS Nasqueron Operations
D691rOPSc356aa59ba95 Allow to update Mumble server certificates

Related Objects
Search...

Event Timeline

dereckson created this task.Jun 4 2016, 02:11
dereckson moved this task from Backlog to Configuration requests on the Mumble board.
dereckson added a comment.EditedJun 4 2016, 14:42

Done manually.

Ysul
$ cd /usr/local/jails/mumble.nasqueron.org/usr/local/etc/ssl/nasqueron.org
$ cp /usr/local/etc/letsencrypt/archive/mumble.nasqueron.org/fullchain1.pem mumble.crt
$ cp -p /usr/local/etc/letsencrypt/archive/mumble.nasqueron.org/privkey1.pem mumble.ey
$ jexec 9 tcsh
mumble.nasqueron.org jail
$ /usr/local/etc/rc.d/murmur restart

$ tail /var/log/murmur.log
<W>2016-06-04 14:35:30.064 Shutting down
<W>2016-06-04 14:35:31.666 MurmurIce: Shutdown complete
<W>2016-06-04 14:35:34.827 Initializing settings from /usr/local/etc/murmur.ini (basepath /usr/local/etc)
<W>2016-06-04 14:35:34.828 Binding to address 212.83.187.132
<W>2016-06-04 14:35:34.828 Binding to address 2001:470:1F13:9E1:0:C0FF:EE:1
<C>2016-06-04 14:35:34.844 Adding 1 CA certificates from certificate file.
<W>2016-06-04 14:35:34.845 Meta: TLS cipher preference is "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA:AES128-SHA"
<W>2016-06-04 14:35:34.845 OpenSSL: OpenSSL 1.0.1e-freebsd 11 Feb 2013
<W>2016-06-04 14:35:35.507 MurmurIce: Endpoint "tcp -h 212.83.187.132 -p 6502 -t 60000" running
<W>2016-06-04 14:35:35.508 MurmurIce: Endpoint "tcp -h "2001:470:1f13:9e1:0:c0ff:ee:1" -p 6502 -t 60000" running
<W>2016-06-04 14:35:35.508 Murmur 1.2.10 (Compiled Feb 15 2016 06:18:32) running on X11: FreeBSD 10.1-RELEASE-p26: Booting servers
<W>2016-06-04 14:35:36.352 1 => Server listening on 212.83.187.132:64738
<W>2016-06-04 14:35:36.356 1 => Server listening on [2001:470:1f13:9e1::c0ff:ee:1]:64738
<W>2016-06-04 14:35:36.360 1 => Server: Failed to set TOS for UDP Socket
<W>2016-06-04 14:35:39.492 1 => <1:(-1)> New connection: [2001:41d0:2:8d8c:216:3eff:fed3:976d]:52358
<W>2016-06-04 14:35:39.492 Connection: Failed to set TOS for TCP Socket
<W>2016-06-04 14:35:39.675 1 => <1:(-1)> Client version 1.2.7 (Linux: mumble-ruby 1.1.2)
<W>2016-06-04 14:35:39.930 1 => Starting voice thread
<W>2016-06-04 14:35:39.934 1 => CELT codec switch ffffffff8000000b 0 (prefer ffffffff8000000b) (Opus 1)
<W>2016-06-04 14:35:39.951 1 => <1:Wolfplex(30)> Authenticated
<W>2016-06-04 14:38:19.510 1 => <2:(-1)> New connection: 52.201.18.254:55622
<W>2016-06-04 14:38:19.706 1 => Registration: No DNS records found: New registration successful
<W>2016-06-04 14:38:19.710 1 => <2:(-1)> Connection closed: The TLS/SSL connection has been closed [1]
dereckson lowered the priority of this task from High to Normal.Jun 4 2016, 14:43

We need a script to automate the process.

dereckson added a project: User-Dereckson.Jul 10 2016, 23:22
dereckson moved this task from Backlog to Needs Review / Blocked / Waiting on the User-Dereckson board.Aug 20 2016, 18:54
dereckson added a comment.Nov 3 2016, 01:40
In T853#9085, @dereckson wrote:

We need a script to automate the process.

Done, but now we need to configure Let's encrypt to call this script when the certificate is renewed.

P221 /usr/local/bin/update-mumble-certificates
1#!/bin/sh
2
3# -------------------------------------------------------------
4# Deploy Mumble certificate on Murmur
5# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6# Project: Nasqueron
7# Created: 2016-11-03
8# License: Trivial work, not eligible to copyright
9# -------------------------------------------------------------
10
11if [ -z "$JAIL_HOSTNAME" ]; then
12 JAIL_HOSTNAME=mumble.nasqueron.org
13fi
14
15if [ -z "$CERT_DIR" ]; then
16 CERT_DIR=/usr/local/etc/letsencrypt/live/$JAIL_HOSTNAME
17fi
18
19if [ -z "$JAIL_DIR" ]; then
20 JAIL_DIR=/usr/local/jails/$JAIL_HOSTNAME
21fi
22
23if [ -z "$JAIL_ID" ]; then
24 JAIL_ID=`jls | grep $JAIL_HOSTNAME | awk '{print $1}'`
25fi
26
27cp $CERT_DIR/fullchain.pem $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.crt
28cp $CERT_DIR/privkey.pem $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
29
30# murmur has uid 338
31chown 338:0 $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
32chmod 400 $JAIL_DIR/usr/local/etc/ssl/nasqueron.org/mumble.key
33
34jexec $JAIL_ID service murmur restart

dereckson mentioned this in D691: Allow to update Mumble server certificates.Nov 3 2016, 02:01
dereckson added a comment.EditedNov 3 2016, 02:52

Currently, configuration file contains the following instructions:

/usr/local/etc/letsencrypt/renewal/mumble.nasqueron.org.conf
…
# Options used in the renewal process
[renewalparams]
account = …
authenticator = webroot
installer = None
[[webroot_map]]
mumble.nasqueron.org = /var/letsencrypt-auto

We probably should create an installer. https://certbot.eff.org/docs/contributing.html#installer

We can then ship it as a Python package: https://github.com/certbot/certbot/tree/master/examples/plugins

Here how to call an external process:

certbot/certbot-nginx/certbot_nginx/configurator.py
def config_test(self):  # pylint: disable=no-self-use
        """Check the configuration of Nginx for errors.
        :raises .errors.MisconfigurationError: If config_test fails
        """
        try:
            util.run_script([self.conf('ctl'), "-c", self.nginx_conf, "-t"])
        except errors.SubprocessError as err:
            raise errors.MisconfigurationError(str(err))
dereckson moved this task from Needs Review / Blocked / Waiting to In progress on the User-Dereckson board.Nov 3 2016, 03:00
dereckson mentioned this in rOPSc356aa59ba95: Allow to update Mumble server certificates.Nov 3 2016, 14:13
dereckson moved this task from In progress to Backlog on the User-Dereckson board.Nov 6 2016, 19:02
dereckson updated the task description. (Show Details)
dereckson removed dereckson as the assignee of this task.EditedNov 6 2016, 19:05
dereckson added a commit: rOPSc356aa59ba95: Allow to update Mumble server certificates.
dereckson added a project: good-first-issue.

Current status

Commit c356aa59ba95 prepared a script to run when the certificate is updated, comment T853#12213 has cleared the path for a way to run this script directly from the Let's encrypt certbot client.

Not currently working on this, but I tag this as good-first-issue as the issue has correctly been analyzed, and will provide assistance if someone wants to do this.

dereckson added a revision: D691: Allow to update Mumble server certificates.Nov 6 2016, 19:08
Sandlayth claimed this task.Nov 24 2016, 18:00
Sandlayth removed Sandlayth as the assignee of this task.Sep 9 2017, 16:23
dereckson moved this task from Backlog to Ops on the good-first-issue board.Oct 15 2017, 12:02
dereckson removed a project: User-Dereckson.Feb 12 2022, 01:34

[ This task isn't in my immediate radar. ]

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator