BNMR: SSL certificates
isdaq01 currently runs CentOS 6, which is not supported by certbot. It also doesn't run an Apache/Nginx proxy, but exposes different ports for the different experiments. We also don't want to use self-signed SSL certificates, as browsers are making them harder and harder to accept.
Enter acme.sh which is a bash script that can talk to LetsEncrypt and other SSL certificate issuers.
Installing acme.sh
As root on isdaq01:
# Install socat so acme.sh can spin up a "standalone" server # to issue certificates, as we don't use Apache/nginx. yum install socat # Install acme.sh git clone https://github.com/acmesh-official/acme.sh.git cd acme.sh ./acme.sh --install -m bsmith@triumf.ca # Install certificate (see below for the post-hook script) acme.sh --issue --standalone -d isdaq01.triumf.ca --server letsencrypt --post-hook /root/install-acme-bnmr-bnqr.sh
Renewal
Installing acme.sh automatically creates a cron entry that will run once per day to check if certificates need to be renewed. It is in the root user's crontab.
Post-hook script - deploy for bnmr and bnqr
mhttpd looks for a file called ssl_cert.pem in ~/online. This file should contain both the certificate and private key, and should be readable by the bnmr/bnqr user (so a symlink to the actual files in /root won't work). Therefore a script is run to copy the SSL certificates to the correct locations and restart mhttpd each time they are renewed.
The script in /root/install-acme-bnmr-bnqr.sh is:
#!/bin/bash cd /root/.acme.sh/isdaq01.triumf.ca/ cat isdaq01.triumf.ca.cer isdaq01.triumf.ca.key > isdaq01.triumf.ca.pem cp isdaq01.triumf.ca.pem /home/bnmr/online/ssl_cert.pem cp isdaq01.triumf.ca.pem /home/bnqr/online/ssl_cert.pem chown bnmr /home/bnmr/online/ssl_cert.pem chown bnqr /home/bnqr/online/ssl_cert.pem pkill -u bnmr mhttpd pkill -u bnqr mhttpd su -l bnmr -c 'mhttpd -D' su -l bnqr -c 'mhttpd -D'