FeministWiki:Technical documentation: Difference between revisions
Technician (talk | contribs) (→Certs) |
Technician (talk | contribs) (→Certs) |
||
| Line 121: | Line 121: | ||
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | ||
After certificates are generated with {{C|certbot}}, copies of them are put into {{C|/etc/fw-certs}}, and the group ownership and permissions of the {{C|privkey.pem}} and {{C|bundle.pem}} files are set such that any user who's in the {{C|ssl-cert}} group can read the private key and bundle. (The others can be read by anyone anyway.) | After certificates are generated with {{C|certbot}}, copies of them are put into {{C|/etc/fw-certs}}, and the group ownership and permissions of the {{C|privkey.pem}} and {{C|bundle.pem}} files are set such that any user who's in the {{C|ssl-cert}} group can read the private key and bundle. (The others can be read by anyone anyway.) A script in {{C|/etc/letsencrypt/renewal-hooks/post}} is responsible for taking care of this after automatic executions of certbot scheduled by the operating system. | ||
The file {{C|/etc/fw-certs/bundle.pem}} is useful for programs that don't have the capability of reading a separate cert and key file; it combines the full certificate chain ({{C|fullchain.pem}}) with the private key in a single file. | The file {{C|/etc/fw-certs/bundle.pem}} is useful for programs that don't have the capability of reading a separate cert and key file; it combines the full certificate chain ({{C|fullchain.pem}}) with the private key in a single file. | ||
If you ever add a new domain under which the FeministWiki server will be reachable, add it as a line to the file {{C|/root/etc/domains}} and run the script {{C|/root/bin/letsencrypt-refresh}}. This script takes care of running {{C|certbot}} to refresh the cert files, and populating the {{C|/etc/fw-certs}} directory. | If you ever add a new domain under which the FeministWiki server will be reachable, add it as a line to the file {{C|/root/etc/domains}} and run the script {{C|/root/bin/letsencrypt-refresh}}. This script takes care of running {{C|certbot}} to refresh the cert files, and populating the {{C|/etc/fw-certs}} directory with updated files. | ||
Note that whenever you run the {{C|letsencrypt-refresh}} script, it will momentarily stop the web server. This means you're causing a short outage of the web-based services of the FeministWiki whenever you run the script. | Note that whenever you run the {{C|letsencrypt-refresh}} script, it will momentarily stop the web server. This means you're causing a short outage of the web-based services of the FeministWiki whenever you run the script. | ||