FeministWiki:Technical documentation: Difference between revisions

(Created page with "This page documents the FeministWiki's technical infrastructure, the target audience being technicians. == Hosts == The following table documents the DNS configuration, and...")
 
Line 41: Line 41:
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.


To ease use of the letsencrypt command, the file <code>/root/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  The final line of the file should '''not''' end in a newline character.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):
To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):


  letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/domains)"
  letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)"


Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Line 52: Line 52:
The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''', so in practice you just need to run the following commands to recreate the cert:
The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''', so in practice you just need to run the following commands to recreate the cert:


  service apache2 stop
  service apache2 stop # Assuming Apache is running on the machine
  letsencrypt-refresh
  letsencrypt-refresh
  service apache2 start
  service apache2 start


The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/domains</code> and run the commands.
The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.


Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.
Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.