Install a TLS Certificate
Our certificate vendor is Let's Encrypt, and the way we get certificates from them is via their certbot command-line tool. We have several domains to secure, plus aliases, and the way to verify ownership and install the certificate vary for each. They are described below.
Let's Encrypt enforces frequent cert rolling via 90-day expirations. Once we hit our first expiration cycle and sort out how to renew, we should update these docs. Eventually we can explore further automation.
certbot locally, then run it in the
certs directory of an Inside
Gratipay repo checkout, with the provided configuration
git clone email@example.com:gratipay/inside.gratipay.com.git cd certs certbot certonly -c gratipay.com.ini
You'll have to agree to having your IP address publicly logged, and then you'll
be prompted to verify ownership of the domains via
For that, visit the ACME
Challenger (you'll have to
login as an admin to use it). Go through the challenge cycle for
and for each alias (there are a bunch, including
www.* variants), by
appending the token to the above link, and then entering the authorization
response in the form you find there.
Once you have the cert, install it at Heroku:
cd tmp/live/gratipay.com/ heroku certs:update --app gratipay fullchain.pem privkey.pem
Once you're done,
rm -rf tmp to clear out sensitive files from your laptop.
assets.gratipay.com CDN uses
gratipay.com/assets as its origin server,
and we have a read-only ACME Challenger
under there. Therefore, the process to verify the domain is just like for
gratipay.com: create the challenge response in the normal ACME
challenger, and Let's
Encrypt should find what it needs in the right place.
However, we use the same cert for
downloads.* as for
assets.*, since both
are hosted at MaxCDN. But since
downloads is a PUSH zone, you have to
(manually) upload a file via FTP in order to verify the domain. Here's how to
reset the ftp
password. Aaaaaaaaaand there's no way to serve a hidden directory, so you have
to use DNS
verification after all, so you may as well use it for
assets.*, too (how do
we write a config file that splits the authenticators by domain?). Sorry.
(P.S. The reason we don't just do all verification via DNS is because that's harder to automate … though I guess DNSimple does have an API. Hmm …)
To install the cert, login to MaxCDN (creds are in LastPass). Go to Account > SSL to add the new certificate, then navigate to EdgeSSL > SNI for each zone, and select the new cert. After installing for both zones, go back to Account > SSL and delete the old cert.
Delete the TXT records from DNS.
ssh firstname.lastname@example.org cd certs/
You should find a
executable there, along with a
certbot.ini configuration file, some logfiles,
etc. I think all you need to do is
./certbot-auto renew, but since we're
still in our first cert cycle with Let's Encrypt, it's hard to know for sure.
To verify domains, I ran
./certbot-auto certonly -c certbot.ini, creating
(and subsequently cleaning up) files under:
The cert and key are symlinked into
/etc/nginx/certs/, so you shouldn't need
to do anything other than
/etc/init.d/nginx reload once the cert/key are