Certificates

Figure 1022. Understanding web certificates Slide presentation

Figure 1023. Certificate trust level Slide presentation
Domain Validated

Fully automated process solely based on DNS / infrastructure challenges.

Organization Validated

Checking organization in question.

Extended Validation

Additional checks i.e. telephone based verification.


Figure 1024. Certificates by Terraform Slide presentation
provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}
resource "tls_private_key" "private_key" { algorithm = "RSA" }
resource "acme_registration" "reg" {
  account_key_pem = tls_private_key.private_key.private_key_pem
  email_address   = "nobody@example.com"
}
resource "acme_certificate" "certificate" {
      ...
  dns_challenge { ... }
}

Figure 1025. dns_challenge provider Slide presentation
resource "acme_certificate" "certificate" {
  ...
  dns_challenge {
    provider = "route53"
  }
}

acme DNS provider list:

  • acme-dns

  • alidns

  • ...

  • rfc2136

  • ...

  • zonomi


Figure 1026. rfc2136 provider configuration Slide presentation
dns_challenge {
  provider = "rfc2136"

  config = {
    RFC2136_NAMESERVER     = "ns1.sdi.hdm-stuttgart.cloud"
    RFC2136_TSIG_ALGORITHM = "hmac-sha512"
    RFC2136_TSIG_KEY       = "goik.key."
    RFC2136_TSIG_SECRET    = file("../dnsupdatetoken.key")
  }
}

Figure 1027. Bind server logfile Slide presentation
... updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': 
  deleting rrset at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT
... updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': 
    adding an RR at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT 
      "GtJZJZjCZLWoGsQDODCFnY37TmMjRiy8Hw9M1eDGhkQ"
... deleting rrset at ... TXT
... adding an RR ... TXT "eJckWl2F43nsf27bzVOjcrTGp_VFeCj2qTVM5Uodg-4"
... deleting an RR at _acme-challenge.goik.sdi.hdm-stuttgart.cloud TXT
... updating zone ... deleting an RR ... TXT

exercise No. 13

Creating a web certificate

Q:

Caution

During configuration always use the staging URL https://acme-staging-v02.api.letsencrypt.org/directory rather than https://acme-v02.api.letsencrypt.org/directory for generating certificates. There are rate limits!

As an example we assume your group has write privileges to a zone g03.sdi.hdm-stuttgart.cloud. Follow the acme_certificate documentation creating a certificate for the following three URIs:

  • The zone apex g03.sdi.hdm-stuttgart.cloud.

  • www.g03.sdi.hdm-stuttgart.cloud

  • cloud.g03.sdi.hdm-stuttgart.cloud

The subject_alternative_names attribute is your friend. Later webserver certificate installation requires two files:

  • Private key file e.g. private.pem.

  • Certificate key file e.g. certificate.pem.

Use resource "local_file" ... for generating this key pair in a sub folder gen of your current project.

exercise No. 14

Testing your web certificate

Q:

Create a host with DNS entries corresponding to Creating a web certificate . Install the Nginx web server. Modify the Nginx configuration to accept https requests using the certificate being generated in Creating a web certificate .

Tip

The Nginx default configuration already contains a self signed certificate being referred to by /etc/nginx/snippets/snakeoil.conf. In /etc/nginx/sites-available/default SSL support is yet commented out:

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
...
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

After configuration check for correctness:

root@www:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Correct any misconfiguration issues before restarting Nginx:

systemctl restart nginx

Pointing your browser to https://g03.sdi.hdm-stuttgart.cloud should and overriding certificate related warnings should show the web server's default entry page. Let your browser show you certificate related information.

If your certificate is alright re-generate it in Creating a web certificate this time using the production setting https://acme-v02.api.letsencrypt.org/directory. Don't forget switching back to the old configuration after completion. You may regret it!

Copy the generated certificate to your server again. This time your browser should present a flawless view with respect to the underlying certificate for all three URLs.