[WiP] SSL

[sethfitz]

Requires certificates to be present in /etc/nginx/{fullchain,privkey}.pem.

dehydrated -c was used to produce the necessary challenges (deployed to export.posm.io:/var/www/dehydrated).

export.posm.io:/etc/nginx/sites-enabled/default contains:

        location /.well-known/acme-challenge {
                alias /var/www/dehydrated;
        }

config:

CHALLENGETYPE="http-01"
CONTACT_EMAIL="[email protected]"
KEYSIZE="2048"
HOOK="./hook.sh"
WELLKNOWN=something

domains.txt:

posm.io

hook.sh:

#!/bin/sh

deploy_challenge() {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    # This hook is called once for every domain that needs to be
    # validated, including any alternative names you may have listed.
    #
    # Parameters:
    # - DOMAIN
    #   The domain name (CN or subject alternative name) being
    #   validated.
    # - TOKEN_FILENAME
    #   The name of the file containing the token to be served for HTTP
    #   validation. Should be served by your web server as
    #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
    # - TOKEN_VALUE
    #   The token value that needs to be served for validation. For DNS
    #   validation, this is what you want to put in the _acme-challenge
    #   TXT record. For HTTP validation it is the value that is expected
    #   be found in the $TOKEN_FILENAME file.
    echo $DOMAIN
    echo "/.well-known/acme-challenge/${TOKEN_FILENAME}"
    echo $TOKEN_VALUE

    read -s -r -e < /dev/tty
}

clean_challenge() {
    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

    # This hook is called after attempting to validate each domain,
    # whether or not validation was successful. Here you can delete
    # files or DNS records that are no longer needed.
    #
    # The parameters are the same as for deploy_challenge.
}

deploy_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"

    # This hook is called once for each certificate that has been
    # produced. Here you might, for instance, copy your new certificates
    # to service-specific locations and reload the service.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - CERTFILE
    #   The path of the file containing the signed certificate.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.
    # - CHAINFILE
    #   The path of the file containing the intermediate certificate(s).
    # - TIMESTAMP
    #   Timestamp when the specified certificate was created.
}

unchanged_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"

    # This hook is called once for each certificate that is still
    # valid and therefore wasn't reissued.
    #
    # Parameters:
    # - DOMAIN
    #   The primary domain name, i.e. the certificate common
    #   name (CN).
    # - KEYFILE
    #   The path of the file containing the private key.
    # - CERTFILE
    #   The path of the file containing the signed certificate.
    # - FULLCHAINFILE
    #   The path of the file containing the full certificate chain.
    # - CHAINFILE
    #   The path of the file containing the intermediate certificate(s).

    echo "Unchanged."
}

HANDLER="$1"; shift
"$HANDLER" "$@"

Refs posm/posm#21

[sethfitz]

When re-running, this is the output produced:

Processing posm.io
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 19 21:22:00 2017 GMT (Longer than 30 days). Skipping renew!
Unchanged.

This may mean that we can't produce device-specific certificates. (My intent is to produce an "encryption bundle" that can be deployed to a POSM device after it's been provisioned, providing it with device-specific secrets not included with the installer.)

Certificates are also only valid for 3 months, which may be too short under certain circumstances.

[sethfitz]

https://letsencrypt.org/docs/rate-limits/ suggests that duplicate certificates are possible (to the tune of 5/week).

That can be increased to 20/week by including an additional hostname to domains.txt (to make it unique).

@dalekunce you were going to ask ARC IT to map osm.posm.io to the Export instance (same as posm.io). Is it possible to amend that request to map *.posm.io to it?

[sethfitz]

"Duplicate certificates" produce unique PEMs using the same challenges.

[sethfitz]

To really make this secure (prevent certificates from being lifted and re-used to intercept traffic), each POSM will need a unique name, e.g. o.posm.io so that its SSL certificate will only match a specific host (and osm subdomain).