Jump to content

FeministWiki:Technical documentation: Difference between revisions

No edit summary
Line 121: Line 121:
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.


To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):
After certificates are generated with {{C|certbot}}, copies of them are put into {{C|/etc/fw-certs}}, and the group ownership and permissions of the {{C|privkey.pem}} and {{C|bundle.pem}} files are set such that any user who's in the {{C|ssl-cert}} group can read the private key and bundle. (The others can be read by anyone anyway.)


  # Use $() to eliminate the terminating newline, if any.
The file {{C|/etc/fw-certs/bundle.pem}} is useful for programs that don't have the capability of reading a separate cert and key file; it combines the full certificate chain ({{C|fullchain.pem}}) with the private key in a single file.
  domains=$(cat /root/etc/domains)
 
  domains=$(printf '%s' "$domains" | tr '\n' ',')
 
  letsencrypt certonly --authenticator standalone --keep --expand -d "$domains"


Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
If you ever add a new domain under which the FeministWiki server will be reachable, add it as a line to the file {{C|/root/etc/domains}} and run the script {{C|/root/bin/letsencrypt-refresh}}. This script takes care of running {{C|certbot}} to refresh the cert files, and populating the {{C|/etc/fw-certs}} directory.


cd /etc/letsencrypt/live/feministwiki.org
Note that whenever you run the {{C|letsencrypt-refresh}} script, it will momentarily stop the web server.  This means you're causing a short outage of the web-based services of the FeministWiki whenever you run the script.
cat fullchain.pem privkey.pem > certbundle.pem
 
The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''' automatically.  It stops Apache, runs the commands described above, and starts Apache again.  This can be used not only to refresh a cert that's running out, but also to add a new domain to the cert.  Just add the domain to <code>/root/etc/domains</code> and run the commands.  Note that the letsencrypt command may not work well on a "dumb" terminal such as an Emacs shell buffer.  If in doubt, run it from within a proper terminal emulator.
 
=== Readability of the key files ===
 
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.


== Ubuntu package repositories ==
== Ubuntu package repositories ==