134
edits
FeministWiki:Technical documentation: Difference between revisions
FeministWiki:Technical documentation (view source)
Revision as of 13:37, 9 September 2018
, 9 September 2018→Certs
(Created page with "This page documents the FeministWiki's technical infrastructure, the target audience being technicians. == Hosts == The following table documents the DNS configuration, and...") |
(→Certs) |
||
| Line 41: | Line 41: | ||
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | ||
To ease use of the letsencrypt command, the file <code>/root/domains</code> contains all the FQDNs used by the FeministWiki, one per line | To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first): | ||
letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/domains)" | letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)" | ||
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | ||
| Line 52: | Line 52: | ||
The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''', so in practice you just need to run the following commands to recreate the cert: | The script <code>/root/bin/letsencrypt-refresh</code> '''does all of the above''', so in practice you just need to run the following commands to recreate the cert: | ||
service apache2 stop | service apache2 stop # Assuming Apache is running on the machine | ||
letsencrypt-refresh | letsencrypt-refresh | ||
service apache2 start | service apache2 start | ||
The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to <code>/root/domains</code> and run the commands. | The above can be used not only to refresh a cert that's running out, but also to add a new domain to the cert. Just add the domain to <code>/root/etc/domains</code> and run the commands. | ||
Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer. Make sure to run it from within a proper terminal emulator. | Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer. Make sure to run it from within a proper terminal emulator. | ||