Generating web SSL certificates

Figure 1029. Understanding web certificates Slide presentation

Figure 1030. Certificate trust level Slide presentation
Domain Validated

Fully automated process solely based on DNS / infrastructure challenges.

Organization Validated

Checking organization in question.

Extended Validation

Additional checks i.e. telephone based verification.


Figure 1031. Certificates by Terraform Slide presentation
provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}
resource "tls_private_key" "private_key" { algorithm = "RSA" }
resource "acme_registration" "reg" {
  account_key_pem = tls_private_key.private_key.private_key_pem
  email_address   = "nobody@example.com"
}
resource "acme_certificate" "certificate" {
      ...
  dns_challenge { ... }
}

Figure 1032. dns_challenge provider Slide presentation
resource "acme_certificate" "certificate" {
  ...
  dns_challenge {
    provider = "route53"
  }
}

acme DNS provider list:

  • acme-dns

  • alidns

  • ...

  • rfc2136

  • ...

  • zonomi


Figure 1033. rfc2136 provider configuration Slide presentation
dns_challenge {
  provider = "rfc2136"

  config = {
    RFC2136_NAMESERVER     = "ns1.sdi.hdm-stuttgart.cloud"
    RFC2136_TSIG_ALGORITHM = "hmac-sha512"
    RFC2136_TSIG_KEY       = "goik.key."
    RFC2136_TSIG_SECRET    = file("../dnsupdatetoken.key")
  }
}

Figure 1034. Bind server logfile Slide presentation
... updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': 
  deleting rrset at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT
... updating zone 'goik.sdi.hdm-stuttgart.cloud/IN': 
    adding an RR at '_acme-challenge.goik.sdi.hdm-stuttgart.cloud' TXT 
      "GtJZJZjCZLWoGsQDODCFnY37TmMjRiy8Hw9M1eDGhkQ"
... deleting rrset at ... TXT
... adding an RR ... TXT "eJckWl2F43nsf27bzVOjcrTGp_VFeCj2qTVM5Uodg-4"
... deleting an RR at _acme-challenge.goik.sdi.hdm-stuttgart.cloud TXT
... updating zone ... deleting an RR ... TXT

exercise No. 14

Creating a web certificate

Q:

Caution

During configuration always use the staging URL https://acme-staging-v02.api.letsencrypt.org/directory rather than https://acme-v02.api.letsencrypt.org/directory for generating certificates. There are rate limits!

As an example we assume your group has write privileges to a zone g03.sdi.hdm-stuttgart.cloud. Follow the acme_certificate documentation using Figure 1033, “rfc2136 provider configuration ” as your DNS provider creating a wildcard certificate for:

  • The zone apex g03.sdi.hdm-stuttgart.cloud.

  • www.g03.sdi.hdm-stuttgart.cloud

  • cloud.g03.sdi.hdm-stuttgart.cloud

The subject_alternative_names attribute is your friend. Later webserver certificate installation requires two files:

  • Private key file e.g. private.pem.

  • Certificate key file e.g. certificate.pem.

Use resource "local_file" ... for generating this key pair in a sub folder gen of your current project.

Caution

Due to a DNS provider related issue you must use at least acme provider version v2.23.2. You are best off not specifying any version at all receiving the latest release automatically:

terraform {
  required_providers {
    hcloud = {
      source = "hetznercloud/hcloud"
    }
    acme = {
          source  = "vancluever/acme"
       }
  }
  required_version = ">= 0.13"
}

exercise No. 15

Testing your web certificate

Q:

Create a host among with three corresponding DNS entries:

  • g03.sdi.hdm-stuttgart.cloud

  • www.g03.sdi.hdm-stuttgart.cloud

  • cloud.g03.sdi.hdm-stuttgart.cloud

Your Terraform setup shall contain the following config.auto.tfvars allowing for an arbitrary number of DNS names:

...
dnsZone       = "g03.sdi.hdm-stuttgart.cloud"
serverNames   = ["www", "cloud"]
...

Install the Nginx web server. Modify the Nginx configuration to accept https requests using the certificate being generated in Creating a web certificate .

Tip

The Nginx default configuration already contains a self signed certificate being referred to by /etc/nginx/snippets/snakeoil.conf. In /etc/nginx/sites-available/default all SSL supporting statements are yet being commented out:

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
...
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

After modifying the above configuration check for correctness:

root@www:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Correct any misconfiguration issues before restarting Nginx:

systemctl restart nginx

Your current staging certificate will cause warnings. Point your browser to https://g03.sdi.hdm-stuttgart.cloud, https://g03.sdi.hdm-stuttgart.cloud and https://g03.sdi.hdm-stuttgart.cloud anyway. Overrule certificate related warnings to actually see the three pages. Inspect the certificate. You should find g03.sdi.hdm-stuttgart.cloud and *.g03.sdi.hdm-stuttgart.cloud.

If your certificate is basically alright re-generate it this time using the production setting https://acme-v02.api.letsencrypt.org/directory in Creating a web certificate . Don't forget reverting back to staging after completion. You may regret it!

Copy the generated certificate to your server again. This time your browser should present a flawless view with respect to the underlying certificate for all three URLs.

exercise No. 16

Combining certificate generation and server creation

Q:

Combine Creating a web certificate and Testing your web certificate into one Terraform configuration.