FeministWiki:Technical documentation: Difference between revisions

FeministWiki:Technical documentation (view source)

Revision as of 13:20, 18 August 2021

557 bytes removed , 18 August 2021

→‎Certs

Technician

Bureaucrats, Interface administrators, Administrators

1,106

edits

@@ Line 121: / Line 121: @@
 The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
-To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):
+After certificates are generated with {{C|certbot}}, copies of them are put into {{C|/etc/fw-certs}}, and the group ownership and permissions of the {{C|privkey.pem}} and {{C|bundle.pem}} files are set such that any user who's in the {{C|ssl-cert}} group can read the private key and bundle.  (The others can be read by anyone anyway.)
-  # Use $() to eliminate the terminating newline, if any.
+The file {{C|/etc/fw-certs/bundle.pem}} is useful for programs that don't have the capability of reading a separate cert and key file; it combines the full certificate chain ({{C|fullchain.pem}}) with the private key in a single file.
-  domains=$(cat /root/etc/domains)
-  domains=$(printf '%s' "$domains" | tr '\n' ',')
-  letsencrypt certonly --authenticator standalone --keep --expand -d "$domains"
-Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
+If you ever add a new domain under which the FeministWiki server will be reachable, add it as a line to the file {{C|/root/etc/domains}} and run the script {{C|/root/bin/letsencrypt-refresh}}.  This script takes care of running {{C|certbot}} to refresh the cert files, and populating the {{C|/etc/fw-certs}} directory.
- cd /etc/letsencrypt/live/feministwiki.org
+Note that whenever you run the {{C|letsencrypt-refresh}} script, it will momentarily stop the web server.  This means you're causing a short outage of the web-based services of the FeministWiki whenever you run the script.
- cat fullchain.pem privkey.pem > certbundle.pem
-The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''' automatically.  It stops Apache, runs the commands described above, and starts Apache again.  This can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.  Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer.  If in doubt, run it from within a proper terminal emulator.
-=== Readability of the key files ===
-To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.
 == Ubuntu package repositories ==