Page MenuHomeMiraheze

Automate LE cert renewal
Closed, ResolvedPublic

Description

As you know LetsEncrypt certs all expire after 90 days. Even though we have -r which makes it easier to upgrade, it would still be a good idea to have this automated.

IMO it wouldn't be that hard, all would need to do is make a job run /root/ssl-certificate -r [domain] and then update the existing cert, but that would cause problems as we currently have certs on GitHub, so that would make it more complicated.

Related Objects

Event Timeline

labster awarded a token.Jun 12 2017, 19:07
John closed this task as Declined.Aug 11 2017, 12:28
John claimed this task.
John added a subscriber: John.

Not technically possible with current set up with a major change, one being a lot of web server changes and potentially even script changes upstream.

labster reopened this task as Open.Oct 1 2017, 09:10
labster added a subscriber: labster.

OK, if even a fraction of wiki.wiki wikis come to us, we're going to need this, as we have only a fraction of the volunteer time needed to deal with all of their TLDs.

Looking at the current process the ideas I have are:

  • Setup a cron job on mw1 to automatically renew certificates, then push the result into the ssl repo. Obviously, mw1 would need access to that repo.
  • Do the same thing as above, but RewriteRule all requests to /.well-known to proxy to a different server, and let that server have access to the ssl repo. That way we could keep the web servers from having any commit access.

If John could elaborate on the not technically possible, bit above, I'd appreciate it. Because this is a solved problem in other places, and we need to be able to solve it too.

I agree that a solution is needed, as we'll be getting more custom domains (especially with wiki.wiki) and manually renewing certs will become more time consuming.

Paladox added a subscriber: Paladox.Oct 14 2017, 11:41
Reception123 removed John as the assignee of this task.Oct 27 2017, 16:14

@Southparkfan has agreed with this via IRC.

Therefore, a cron should be written for renewing certs (preferably when Icinga states that there are a few days left, rather than having to renew every cert every 3 months), then an account (possibly called "Miraheze-SSLRenew" should be created on GitHub (allowed to push to SSL), which mw1 should be able to push to.

Paladox assigned this task to John.May 15 2018, 01:58
John removed John as the assignee of this task.May 15 2018, 01:59
Paladox removed Paladox as the assignee of this task.May 15 2018, 02:05
John claimed this task.May 22 2018, 18:55
John added a project: Goal-2018-Jan-Jun.
John closed this task as Resolved.May 24 2018, 02:19

Logic now exists for this automatically.

Paladox added a comment.May 24 2018, 08:04

@John so this means it will renew without us doing anything now?

John moved this task from Backlog to Operations on the Goal-2018-Jan-Jun board.Jun 27 2018, 23:01