Rework 2 #81
Rework 2 #81
Conversation
ypid
force-pushed
the
rework-2
branch
2 times, most recently
from
48a62f3
to
fa6bb40
Compare
| sources: | ||
| - debian-sid | ||
| packages: | ||
| - shellcheck |
There was a problem hiding this comment.
I don't think that this is a good idea. DebOps relies on a sane APT configuration for tests, if you mess it up by adding a repository from a different distribution, epseically Debian Sid, without taking care of removing that before the test, you will have a bad time. It can even be seen in the test that checked this commit.
ypid
force-pushed
the
rework-2
branch
3 times, most recently
from
04ad0c2
to
7c2facb
Compare
|
Hi guys, I am really unable to test it now, as I don't have a test environment ready and time pressure of my work duties is huge at the moment :( Sorrrrrry |
So that if one gets updated, the other hopefully will also be updated.
Tested with: - name: 'www.ypid.de' acme_default_subdomains: [] acme_domains: [ 'www.ypid.de', 'me.ypid.de' ] Resulted in: Certificate: Data: Version: 3 (0x2) Serial Number: fa:fb:15:22:6b:4c:9c:40:46:d4:13:ad:42:c0:8f:a4:2f:f3 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Fake LE Intermediate X1 Validity Not Before: Sep 12 16:18:00 2016 GMT Not After : Dec 11 16:18:00 2016 GMT Subject: CN=www.ypid.de Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a3:0c:03:c2:24:7c:8d:f0:86:6f:f6:0b:a4:e8: c2:ce:4a:57:3a:97:59:75:00:01:8a:2c:e9:89:af: 65:d0:0c:dc:df:2f:2b:21:57:e6:b0:3e:11:7f:ad: d8:6a:9a:33:2e:ef:62:fb:4b:0f:80:f0:f3:c8:e9: d6:e4:75:6f:18:88:25:3f:e7:ce:23:43:c8:4d:05: 99:66:9a:be:a1:7a:e7:8a:80:ab:94:55:68:de:26: e9:c1:95:44:5b:b7:d9:b8:30:45:2b:ce:57:6c:7b: f3:a2:af:cc:b0:41:e3:0c:c1:cd:6b:c7:a1:6b:2d: 8d:09:c2:b5:fa:c1:7e:f4:b1:d2:2a:f3:8b:f1:7b: 5b:1f:7c:bf:9c:ab:ad:24:04:48:b7:03:22:fa:fc: e5:67:99:50:8f:48:5d:ab:1a:92:f1:27:2f:10:9a: 0b:67:75:6f:e5:9a:bd:f4:56:f3:9a:fc:6f:a7:6f: d8:86:ff:59:bc:ec:1e:8f:5a:e9:05:63:0b:ed:63: 6c:77:fa:09:e1:20:7e:7c:cb:91:8b:8f:3e:cb:b3: 65:dd:5f:2d:68:7c:46:7d:2c:bf:e7:6a:57:23:55: 1a:17:45:bc:8f:1d:dd:d6:d9:6e:e9:ef:d6:96:97: 5c:e5:9b:de:93:23:70:74:e1:47:ae:56:bb:b4:35: 9a:53:81:49:10:61:07:24:d2:53:6c:35:41:09:ef: 00:1a:3c:7b:de:0f:97:86:87:67:7a:a8:d0:a9:d4: 90:88:2f:0b:5c:a8:74:74:04:af:6f:f7:b1:ba:23: 83:00:27:a0:f6:8a:d4:7d:61:3a:75:03:4a:a8:d3: 42:2d:fb:2c:3b:ab:bc:b7:8a:18:42:5b:66:b9:d7: 8b:76:8d:da:62:1b:6b:64:cd:65:1e:53:6c:f8:54: 69:39:5d:ca:e7:23:c4:ef:cc:44:45:23:f3:1c:9c: 5d:73:33:59:a7:47:26:ef:43:47:a7:ed:02:ab:fc: 15:75:9a:64:fa:46:c1:20:3d:99:22:b0:91:67:c9: ce:99:5c:03:46:fd:81:ae:67:11:d0:be:d6:2b:ff: ac:32:51:bb:05:70:c1:6e:d0:6c:58:17:9c:c6:4f: fb:4a:79:c6:c5:ce:7a:55:ec:d3:6b:66:cf:2c:5b: d2:a1:35:a3:55:0a:b9:b6:a5:83:f5:12:21:7f:46: dc:d3:10:d5:5b:db:19:03:46:b2:fb:56:fe:8a:85: 26:d9:3d:33:e7:d5:eb:6b:a4:20:dc:df:e1:fe:d5: e3:92:6b:f5:81:aa:2a:05:3b:4c:32:56:74:67:ac: 8c:2b:66:c1:c5:27:12:10:01:90:3e:63:b0:23:63: 9f:19:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: E5:11:34:94:ED:18:1A:7A:22:A8:6B:CC:32:D5:38:0E:F0:F0:06:C3 X509v3 Authority Key Identifier: keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A Authority Information Access: OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org/ CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:me.ypid.de, DNS:www.ypid.de X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ Signature Algorithm: sha256WithRSAEncryption 69:1f:9a:83:ae:10:17:ff:34:eb:d7:01:23:2f:05:39:cb:b0: ad:d1:d7:d2:47:69:31:f7:bc:f9:e2:73:62:c1:a6:df:16:0e: 65:65:9d:76:09:97:0f:d8:f6:73:30:0e:ba:d7:9e:61:96:12: 15:f9:19:d0:e6:2e:ec:aa:07:b1:03:b8:bb:af:5d:ea:69:ef: af:8a:a8:29:94:10:8b:04:5a:f1:de:14:6e:6a:a0:39:5c:d2: 7b:f3:65:06:6b:67:03:c6:1f:18:89:84:28:2a:0e:3e:1d:e2: a0:bc:4f:ce:3e:7c:f8:81:6e:f7:34:a0:cd:01:7e:66:ae:d6: 82:0e:e8:73:11:e6:c0:b0:c7:b0:0c:fa:de:d8:fa:61:89:c7: c7:dd:6f:cc:b2:32:1a:b8:74:93:82:5b:f9:55:25:15:f1:51: bc:32:98:f8:70:3a:c3:c2:e2:ec:3a:6f:a7:e6:8e:15:9a:43: 09:9f:b1:28:c7:d5:13:82:9e:20:86:40:45:4f:6d:cc:c6:7c: 9a:26:1a:e2:8b:40:eb:ed:24:67:b9:0e:a4:b7:4a:5f:3a:d0: 4f:a9:d3:bf:a5:59:67:40:0c:50:39:96:8e:a3:fb:de:a2:74: 72:78:b5:fc:2b:01:b8:1b:af:a5:78:6c:da:66:b6:2d:3c:ce: c8:c1:c8:1b
|
@ser Don’t worry. I tested it and was able to simplify your example a bit 😉 |
|
Tested ACME, self-signed certs and internal CA. Works nicely. You rock @drybjed 👍 You can check this PR when you have time. Should be ready for merging finally 😉 |
|
Thanks, will do when I have time. Currently on vacation for a week.
|
| @@ -156,28 +156,44 @@ configuration active, it will check for validity of the certificate, and | |||
| about a month before the expiration date it will try to renew the certificate | |||
| automatically. | |||
|
|
|||
| Certificate for subdomains excluding the apex domain | |||
| ---------------------------------------------------- | |||
| Example: Certificate for apex domain and subdomains | |||
There was a problem hiding this comment.
What is this "apex" thing? I never here this,find it confusing and doubt it will ad any relevant information.
There was a problem hiding this comment.
If you take example.com DNS domain with www.example.com, smtp.example.com subdomains, an "apex domain" would be the example.com itself. Typically this is redirected to the homepage of the domain. I suppose that the "apex domain" could be less known than alternative "root domain", but the naming space in this context is very limited so I prefer to use a different name for this - "root domain" could be understood as the . DNS domain.
Some links that use the term:
| ------------------------------------------------------------- | ||
|
|
||
| In the example we create a certificate for the ``logs.example.com`` and | ||
| ``mon.example.com`` subdomains, which does not include the ``example.com`` apex |
There was a problem hiding this comment.
An example for issuing certificated for different 2nd-level domains is missing. Eg. www.example.com and www.acme.org. This is what people serving a lot of domains in one CMS need. If this works the same, this should be stated explicitly.
| .. code-block:: yaml | ||
|
|
||
| pki_realms: | ||
| - name: 'logs.example.com' |
There was a problem hiding this comment.
In case of a CMS serving several domains, would it be a good idea to name this realm e.g. "plone.example.com"?
There was a problem hiding this comment.
Hmmm, I suppose. The PKI realm name is used in the CSR generation if no additional parameters are specified, and other role like debops.nginx can perform actions based on existence of a given realm; for example debops.nginx will select a given PKI realm as the default if the FQDN or domain part matches one of the server names. Otherwise, you are free to name the realm whatever you like.
There was a problem hiding this comment.
What do you mean? logs.example.com is used in this example. This is also what other roles like nginx will use to identify and select the realm.
|
|
||
| In the example we create a certificate for the ``logs.example.com`` and | ||
| ``mon.example.com`` subdomains, which does not include the ``example.com`` apex | ||
| domain. |
There was a problem hiding this comment.
Where will these do into? The subject alt name? In the example below: What will become the "Subject"?
| ``mon.example.com`` subdomains, which does not include the ``example.com`` apex | ||
| domain. | ||
| In this example a X.509 certificate for the apex domain ``example.com`` is | ||
| going to be issued. The certificate will also be valid for the subdomains |
There was a problem hiding this comment.
... is going to be issued (certificate "Subject")
or something like this.
| @@ -156,28 +156,44 @@ configuration active, it will check for validity of the certificate, and | |||
| about a month before the expiration date it will try to renew the certificate | |||
| automatically. | |||
|
|
|||
| Certificate for subdomains excluding the apex domain | |||
| ---------------------------------------------------- | |||
| Example: Certificate for apex domain and subdomains | |||
There was a problem hiding this comment.
Please say host instead of "domain in the whole text. IMHO "domain" is wrong. certificates are issued for hosts, not for domains. For domains one would need to issue a *-certificate.
There was a problem hiding this comment.
Hm, certificates can also be issued for a CNAME/PTR in DNS so I don’t think that host is better. But I understand your point. @drybjed What do you think?
There was a problem hiding this comment.
Certificates are not tied to specific hosts, and can be moved between hosts as well.
Searching for "domain certificate" in Google gives me about 51M results, and "host certificate" has about 95M results.
I suppose that "host certificate" makes sense in context, especially when we talk about a wildcard certificate vs a certificate with a bunch of SANs. Although I'm not really sure in context of server vs client certificate.
|
I suppose that adding more examples of different certificate types in the documentation could be useful. @ypid, do you plan to add more? |
|
@htgoebel Thanks! I incorporated your feedback.
Currently not but I also like examples and when I find other good once in my own use I will add them. |
Based on: debops#81 Merge blocker: Changelog, git rebase
Based on: debops#81 Merge blocker: Changelog, git rebase
| # .. include:: includes/all.rst | ||
|
|
||
|
|
||
| # Global PKI configuration [[[ |
There was a problem hiding this comment.
It looks like the section headers don't have the -------------- markers, reStructuredText won't parse them correctly.
| # Get an absolute path to a file | ||
| # Inlined in the following scripts: pki-authority, pki-realm {{{ | ||
| version () { | ||
| # Normalize version numbers for compassion. |
There was a problem hiding this comment.
This should probably be comparsion.
| key_exists() { | ||
| # Inlined in the following scripts: pki-authority, pki-realm {{{ | ||
| version () { | ||
| # Normalize version numbers for compassion. |
There was a problem hiding this comment.
Mean comparison 🐈 good catch. Fixed.
Status: Ready for review and merging
Related to: #70
Fixes: #82
Closes: #83