Certificate roles to replace the letsencrypt roles


#1

Hi,

The current variables controllingthe letsencrypt roles are:

letsencrypt_nginx_staging: true
letsencrypt_nginx_email: "contact-nginx@something.com"
letsencrypt_nginx_reverse_proxy: 127.0.0.1:8080
letsencrypt_nginx_fqdn: "{{ inventory_hostname }}.{{ domain }}"
letsencrypt_nginx_sites: "# SOMETHING TESTS CAN GREP"

with examples in the test playbook.

To deploy Enough when no public IP is available (for instance behind tor or with no network connexion at all), there is a need for a self-signed certificate authority. @pilou showed how it can be implemented with openssl_certificate and a draft implementation is working fine.

The variables for the new certificate roles could be as follow:

  • certificate_authority: letsencrypt or letsencrypt_staging or ownca
  • certificate_create: true (optional)
  • if certificate_create is true
    • certificate_email: "contact-nginx@something.com"
    • certificate_fqdn: “{{ inventory_hostname }}.{{ domain }}”
    • certificate_installer: an installer supported by certbot (optional)

The real change (beyond the replacement of letsencrypt with certificate) is to replace letsencrypt_staging with certificate_authority which is no longer just a boolean adding or removing an option.

The steps are:

  • CA creation for ownca only, stored on the controller in ~/.enough/{{ domain }}/certs, letsencrypt already exists
  • CA installation for ownca and letsencrypt_staging only, letsencrypt is already installed everywhere
  • obtain a new certificate letsencrypt gets them from the net via RFC-8555, ownca creates them on localhost and copy them to the host. Only the paths are different and that makes it difficult for playbooks such as postfix-relay-playbook to know about them. For that reason, symbolic links (because renewal may change the file) to the letsencrypt certificate are created in /etc/enough/certs, as if they were created by the ownca.
  • install the certificate
    • certbot does it for nginx using files in /etc/enough/certs (which are either created by ownca or letsencrypt)
    • for postfix there is no pre-defined installer and the postfix-relay-playbook installs the files from /etc/enough/certs
  • renew letsencrypt does it automatically, ownca is 20 years and does not need to be renewed

Finally , the nginx should be in another role and implement the parts that are unrelated to the certificate.

  • enough_nginx_reverse_proxy: 127.0.0.1:8080 (optional)
  • enough_nginx_sites: “# SOMETHING TESTS CAN GREP” (optional)

If anyone sees a problem with this, now is a good time to criticize.

Cheers


#2

Also… a number of tests rely on letsencrypt staging CA commited to the repository etc. They should be removed and collected at runtime and placed in ~/.enough/{{ domain }}/certs instead. This is where the ownca will store its CA files and can be used instead.


#3

For the record, the implementation is here: https://lab.enough.community/main/infrastructure/merge_requests/125