BNMR: SSL certificates

From DaqWiki
Jump to navigation Jump to search

isdaq01 currently runs CentOS 6, which is not supported by certbot. It also doesn't run an Apache/Nginx proxy, but exposes different ports for the different experiments. We also don't want to use self-signed SSL certificates, as browsers are making them harder and harder to accept.

Enter acme.sh which is a bash script that can talk to LetsEncrypt and other SSL certificate issuers.

Installing acme.sh

As root on isdaq01:

# Install socat so acme.sh can spin up a "standalone" server
# to issue certificates, as we don't use Apache/nginx.
yum install socat

# Install acme.sh
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install -m bsmith@triumf.ca

# Install certificate (see below for the post-hook script)
acme.sh --issue --standalone -d isdaq01.triumf.ca --server letsencrypt --post-hook /root/install-acme-bnmr-bnqr.sh

Renewal

Installing acme.sh automatically creates a cron entry that will run once per day to check if certificates need to be renewed. It is in the root user's crontab.

Post-hook script - deploy for bnmr and bnqr

mhttpd looks for a file called ssl_cert.pem in ~/online. This file should contain both the certificate and private key, and should be readable by the bnmr/bnqr user (so a symlink to the actual files in /root won't work). Therefore a script is run to copy the SSL certificates to the correct locations and restart mhttpd each time they are renewed.

The script in /root/install-acme-bnmr-bnqr.sh is:

#!/bin/bash
cd /root/.acme.sh/isdaq01.triumf.ca/
cat isdaq01.triumf.ca.cer isdaq01.triumf.ca.key > isdaq01.triumf.ca.pem
cp isdaq01.triumf.ca.pem /home/bnmr/online/ssl_cert.pem
cp isdaq01.triumf.ca.pem /home/bnqr/online/ssl_cert.pem
chown bnmr /home/bnmr/online/ssl_cert.pem
chown bnqr /home/bnqr/online/ssl_cert.pem
pkill -u bnmr mhttpd
pkill -u bnqr mhttpd
su -l bnmr -c 'mhttpd -D'
su -l bnqr -c 'mhttpd -D'