Wald - current situation
We're running a FusionForge 6.1.x instance named "Wald", reachable
via http://wald.intevation.org/ and https://wald.intevation.org/
Currently the certificate used for https is from our own CA (root
certificate downloadable at https://ssl.intevation.de/), which isn't
known by default by any web browsers, so we would like to switch to
certificates from Let's Encrypt.
Let's Encrypt client
On other servers we are currently using the program "acmetool" from
https://github.com/hlandau/acmetool to request/renew Let's Encrypt
certificates. To support the new ACMEv2 protocol, at least version
0.2.1 (currently only available as a beta release) is needed.
A simple alternative client could be https://dehydrated.io/
Implementation proposal
Originally I thought we would need a certificate including SAN entries
for *.wald.intevation.org, wald.intevation.org and every alternative
host name pointing to Wald, e.g. mpuls.org and http://www.mpuls.org.
But wildcard certificates and Let's Encrypt are a little bit
complicated to handle automatically, especially in combination with
additional SAN entries for different domains, so I was thinking about
the following way:
A script on Wald provides a list of all used host names, i.e.:
- http://www.wald.intevation.org
- wald.intevation.org
- scm.wald.intevation.org
- hg.wald.intevation.org
- lists.wald.intevation.org
- what other host names *.wald.intevation.org did I miss?
- all project pages, e.g. adminton.wald.intevation.org
- the manually configured vhosts that are listed in httpd-ssl.vhosts
(e.g. mpuls.org and http://www.mpuls.org), but EXCLUDING those that have
their DNS entry no longer pointing to Wald, e.g openvas.org.
Wald could then request a single SSL certificate containing SAN
entries for all hostnames using e.g.
acmetool want http://www.wald.intevation.org wald.intevation.org ...more...
and use this single certificate for everything (assuming Let's
Encrypt allows that many SAN entries, I haven't verified this).
Before using "acmetool want", the old list of vhosts should be cleared
using "acmetool unwant ...old list of hostnames...", so no further
verification requests are triggered for hostnames that are no longer
in use and may now point to a different webserver.
The web server of Wald would need to direct all requests to
/.well-known/acme-challenge/ for all configured vhosts to the
challenge directory created by acmetool.
I know that projects on a FusionForge server can be configured to use
their own SSL certificates (I assume using SNI), but I don't want to
manually do this, especially since the verification challenges by
Let's Encrypt have to be done anyway and the certificates have a short
life span (I think 3 months).
Summary
The steps to implement this would be:
- A script that lists all used host names that have a DNS entry
pointing to the server
- A script that uses the output of 1. determines if the list has
changed. If yes calls "acmetool unwant (all previous hostnames)"
followed by "acmetool want (all current hostnames)".
(this script will regularly run, e.g. via cron or triggered by vhost changes)
- A configuration change to Apache to offer /.well-known/acme-challenge/
on all configured vhosts.
|