summaryrefslogtreecommitdiff
path: root/docs/en/guide
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2016-09-14 15:09:32 -0700
committerelijah <elijah@riseup.net>2016-09-14 15:09:32 -0700
commit811deee9e5b8cc42a3ea424ef873e9d69eb50cba (patch)
tree7e48be21fe30dca8add4c848c40e49702894a479 /docs/en/guide
parent836876b4b0763e01526c9aa9c1fc34e1d82416aa (diff)
updated docs
Diffstat (limited to 'docs/en/guide')
-rw-r--r--docs/en/guide/commands.html253
-rw-r--r--docs/en/guide/commands/index.html253
-rw-r--r--docs/en/guide/keys-and-certificates.html115
-rw-r--r--docs/en/guide/keys-and-certificates/index.html115
4 files changed, 532 insertions, 204 deletions
diff --git a/docs/en/guide/commands.html b/docs/en/guide/commands.html
index bccbaf50..8685c6dc 100644
--- a/docs/en/guide/commands.html
+++ b/docs/en/guide/commands.html
@@ -127,7 +127,7 @@ Command Line Reference - LEAP Platform Documentation
<a href="commands/index.html#global-options">Global Options</a>
</li>
<li>
- <a href="commands/index.html#leap-add-user-username">leap add-user USERNAME</a>
+ <a href="commands/index.html#leap-add-user">leap add-user</a>
</li>
<li>
<a href="commands/index.html#leap-cert">leap cert</a>
@@ -136,12 +136,18 @@ Command Line Reference - LEAP Platform Documentation
<a href="commands/index.html#leap-cert-ca">leap cert ca</a>
</li>
<li>
- <a href="commands/index.html#leap-cert-csr">leap cert csr</a>
+ <a href="commands/index.html#leap-cert-csr-domain">leap cert csr DOMAIN</a>
</li>
<li>
<a href="commands/index.html#leap-cert-dh">leap cert dh</a>
</li>
<li>
+ <a href="commands/index.html#leap-cert-register">leap cert register</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-cert-renew-domain">leap cert renew DOMAIN</a>
+ </li>
+ <li>
<a href="commands/index.html#leap-cert-update-filter">leap cert update FILTER</a>
</li>
</ol>
@@ -178,9 +184,6 @@ Command Line Reference - LEAP Platform Documentation
</ol>
</li>
<li>
- <a href="commands/index.html#leap-debug-filter">leap debug FILTER</a>
- </li>
- <li>
<a href="commands/index.html#leap-deploy-filter">leap deploy FILTER</a>
</li>
<li>
@@ -212,6 +215,9 @@ Command Line Reference - LEAP Platform Documentation
<a href="commands/index.html#leap-history-filter">leap history FILTER</a>
</li>
<li>
+ <a href="commands/index.html#leap-info-filter">leap info FILTER</a>
+ </li>
+ <li>
<a href="commands/index.html#leap-inspect-file">leap inspect FILE</a>
</li>
<li>
@@ -221,19 +227,19 @@ Command Line Reference - LEAP Platform Documentation
<a href="commands/index.html#leap-local">leap local</a>
<ol>
<li>
- <a href="commands/index.html#leap-local-destroy-filter">leap local destroy [FILTER]</a>
+ <a href="commands/index.html#leap-local-ls-filter">leap local ls [FILTER]</a>
</li>
<li>
<a href="commands/index.html#leap-local-reset-filter">leap local reset [FILTER]</a>
</li>
<li>
- <a href="commands/index.html#leap-local-save-filter">leap local save [FILTER]</a>
+ <a href="commands/index.html#leap-local-rm-filter">leap local rm [FILTER]</a>
</li>
<li>
- <a href="commands/index.html#leap-local-start-filter">leap local start [FILTER]</a>
+ <a href="commands/index.html#leap-local-save-filter">leap local save [FILTER]</a>
</li>
<li>
- <a href="commands/index.html#leap-local-status-filter">leap local status [FILTER]</a>
+ <a href="commands/index.html#leap-local-start-filter">leap local start [FILTER]</a>
</li>
<li>
<a href="commands/index.html#leap-local-stop-filter">leap local stop [FILTER]</a>
@@ -264,6 +270,12 @@ Command Line Reference - LEAP Platform Documentation
</ol>
</li>
<li>
+ <a href="commands/index.html#leap-open-name">leap open NAME</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-run-command-filter">leap run COMMAND FILTER</a>
+ </li>
+ <li>
<a href="commands/index.html#leap-scp-file1-file2">leap scp FILE1 FILE2</a>
</li>
<li>
@@ -283,6 +295,49 @@ Command Line Reference - LEAP Platform Documentation
<li>
<a href="commands/index.html#leap-tunnel-local_portnameremote_port">leap tunnel [LOCAL_PORT:]NAME:REMOTE_PORT</a>
</li>
+ <li>
+ <a href="commands/index.html#leap-user">leap user</a>
+ <ol>
+ <li>
+ <a href="commands/index.html#leap-user-add-username">leap user add USERNAME</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-user-ls">leap user ls</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-user-rm-username">leap user rm USERNAME</a>
+ </li>
+ </ol>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm">leap vm</a>
+ <ol>
+ <li>
+ <a href="commands/index.html#leap-vm-add-node_name-seed">leap vm add NODE_NAME [SEED]</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm-bind-node_name-instance_id">leap vm bind NODE_NAME INSTANCE_ID</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm-key-list">leap vm key-list</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm-key-register">leap vm key-register</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm-rm-filter">leap vm rm [FILTER]</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm-start-filter">leap vm start [FILTER]</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm-status-filter">leap vm status [FILTER]</a>
+ </li>
+ <li>
+ <a href="commands/index.html#leap-vm-stop-filter">leap vm stop [FILTER]</a>
+ </li>
+ </ol>
+ </li>
</ol></div>
<p>The command &ldquo;leap&rdquo; can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.</p>
@@ -311,9 +366,11 @@ Skip prompts and assume &ldquo;yes&rdquo;.</p></li>
</ul>
-<h1><a name="leap-add-user-username"></a>leap add-user USERNAME</h1>
+<h1><a name="leap-add-user"></a>leap add-user</h1>
+
+<p>Manage trusted sysadmins (DEPRECATED)</p>
-<p>Adds a new trusted sysadmin by adding public keys to the &ldquo;users&rdquo; directory.</p>
+<p>Use <code>leap user add</code> instead</p>
<p><strong>Options</strong></p>
@@ -339,7 +396,7 @@ Add yourself as a trusted sysadmin by choosing among the public keys available f
<p>See see what values are used in the generation of the certificates (like name and key size), run <code>leap inspect provider</code> and look for the &ldquo;ca&rdquo; property. To see the details of the created certs, run <code>leap inspect &lt;file&gt;</code>.</p>
-<h2><a name="leap-cert-csr"></a>leap cert csr</h2>
+<h2><a name="leap-cert-csr-domain"></a>leap cert csr DOMAIN</h2>
<p>Creates a CSR for use in buying a commercial X.509 certificate.</p>
@@ -383,6 +440,16 @@ Default Value: None</p></li>
<p>Creates a Diffie-Hellman parameter file, needed for forward secret OpenVPN ciphers.</p>
+<h2><a name="leap-cert-register"></a>leap cert register</h2>
+
+<p>Register an authorization key with the CA letsencrypt.org</p>
+
+<p>This only needs to be done once.</p>
+
+<h2><a name="leap-cert-renew-domain"></a>leap cert renew DOMAIN</h2>
+
+<p>Renews a certificate using the CA letsencrypt.org</p>
+
<h2><a name="leap-cert-update-filter"></a>leap cert update FILTER</h2>
<p>Creates or renews a X.509 certificate/key pair for a single node or all nodes, but only if needed.</p>
@@ -447,12 +514,6 @@ Default Value: None</p></li>
</ul>
-<h1><a name="leap-debug-filter"></a>leap debug FILTER</h1>
-
-<p>Output debug information.</p>
-
-<p>The FILTER can be the name of a node, service, or tag.</p>
-
<h1><a name="leap-deploy-filter"></a>leap deploy FILTER</h1>
<p>Apply recipes to a node or set of nodes.</p>
@@ -548,6 +609,12 @@ Show last deploy only</p></li>
</ul>
+<h1><a name="leap-info-filter"></a>leap info FILTER</h1>
+
+<p>Prints information regarding facts, history, and running processes for a node or nodes.</p>
+
+<p>The FILTER can be the name of a node, service, or tag.</p>
+
<h1><a name="leap-inspect-file"></a>leap inspect FILE</h1>
<p>Prints details about a file. Alternately, the argument FILE can be the name of a node, service or tag.</p>
@@ -585,16 +652,20 @@ Include disabled nodes in the list.</p></li>
<p>Manage local virtual machines.</p>
-<p>This command provides a convient way to manage Vagrant-based virtual machines. If FILTER argument is missing, the command runs on all local virtual machines. The Vagrantfile is automatically generated in &lsquo;test/Vagrantfile&rsquo;. If you want to run vagrant commands manually, cd to &lsquo;test&rsquo;.</p>
+<p>This command provides a convenient way to manage Vagrant-based virtual machines. If FILTER argument is missing, the command runs on all local virtual machines. The Vagrantfile is automatically generated in &lsquo;test/Vagrantfile&rsquo;. If you want to run vagrant commands manually, cd to &lsquo;test&rsquo;.</p>
-<h2><a name="leap-local-destroy-filter"></a>leap local destroy [FILTER]</h2>
+<h2><a name="leap-local-ls-filter"></a>leap local ls [FILTER]</h2>
-<p>Destroys the virtual machine(s), reclaiming the disk space</p>
+<p>Print the status of local virtual machine(s)</p>
<h2><a name="leap-local-reset-filter"></a>leap local reset [FILTER]</h2>
<p>Resets virtual machine(s) to the last saved snapshot</p>
+<h2><a name="leap-local-rm-filter"></a>leap local rm [FILTER]</h2>
+
+<p>Destroys the virtual machine(s), reclaiming the disk space</p>
+
<h2><a name="leap-local-save-filter"></a>leap local save [FILTER]</h2>
<p>Saves the current state of the virtual machine as a new snapshot</p>
@@ -612,10 +683,6 @@ Default Value: LEAP/jessie</li>
</ul>
-<h2><a name="leap-local-status-filter"></a>leap local status [FILTER]</h2>
-
-<p>Print the status of local virtual machine(s)</p>
-
<h2><a name="leap-local-stop-filter"></a>leap local stop [FILTER]</h2>
<p>Shuts down the virtual machine(s)</p>
@@ -674,13 +741,15 @@ Default Value: None</p></li>
<p>To set nested properties, property name can contain &lsquo;.&rsquo;, like so: <code>leap node add web1 ssh.port:44</code></p>
-<p>Separeate multiple values for a single property with a comma, like so: <code>leap node add mynode services:webapp,dns</code></p>
+<p>Separate multiple values for a single property with a comma, like so: <code>leap node add mynode services:webapp,dns</code></p>
<p><strong>Options</strong></p>
<ul>
-<li><code>--local</code>
-Make a local testing node (by automatically assigning the next available local IP address). Local nodes are run as virtual machines on your computer.</li>
+<li><p><code>--local</code>
+Make a local testing node (by assigning the next available local IP address). Local nodes are run as virtual machines on your computer.</p></li>
+<li><p><code>--vm</code>
+Make a remote virtual machine for this node. Requires a valid cloud.json configuration.</p></li>
</ul>
@@ -698,9 +767,8 @@ Override the default SSH IP address.
Default Value: None</p></li>
<li><p><code>--port PORT</code>
Override the default SSH port.
+This command prepares a server to be used with the LEAP Platform by saving the server&rsquo;s SSH host key, copying the authorized_keys file, installing packages that are required for deploying, and registering important facts. Node init must be run before deploying to a server, and the server must be running and available via the network. This command only needs to be run once, but there is no harm in running it multiple times.
Default Value: None</p></li>
-<li><p><code>--echo</code>
-If set, passwords are visible as you type them (default is hidden)</p></li>
</ul>
@@ -712,6 +780,40 @@ If set, passwords are visible as you type them (default is hidden)</p></li>
<p>Removes all the files related to the node named NAME.</p>
+<h1><a name="leap-open-name"></a>leap open NAME</h1>
+
+<p>Opens useful URLs in a web browser.</p>
+
+<p>NAME can be one or more of: monitor, web, docs, bug</p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--env ENVIRONMENT</code>
+Which environment to use (optional).
+Default Value: None</p></li>
+<li><p><code>--[no-]ip</code>
+To get around HSTS or DNS, open the URL using the IP address instead of the domain (optional).</p></li>
+</ul>
+
+
+<h1><a name="leap-run-command-filter"></a>leap run COMMAND FILTER</h1>
+
+<p>Run a shell command remotely</p>
+
+<p>Runs the specified command COMMAND on each node in the FILTER set. For example, <code>leap run 'uname -a' webapp</code></p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--port SSH_PORT</code>
+Override default SSH port used when trying to connect to the server.
+Default Value: None</p></li>
+<li><p><code>--[no-]stream</code>
+If set, stream the output as it arrives. (default: &ndash;stream for a single node, &ndash;no-stream for multiple nodes)</p></li>
+</ul>
+
+
<h1><a name="leap-scp-file1-file2"></a>leap scp FILE1 FILE2</h1>
<p>Secure copy from FILE1 to FILE2. Files are specified as NODE_NAME:FILE_PATH. For local paths, omit &ldquo;NODE_NAME:&rdquo;.</p>
@@ -778,6 +880,97 @@ Default Value: None</p></li>
</ul>
+<h1><a name="leap-user"></a>leap user</h1>
+
+<p>Manage trusted sysadmins</p>
+
+<p>Manage the trusted sysadmins that are configured in the &lsquo;users&rsquo; directory.</p>
+
+<h2><a name="leap-user-add-username"></a>leap user add USERNAME</h2>
+
+<p>Adds a new trusted sysadmin</p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--pgp-pub-key arg</code>
+OpenPGP public key file for this new user
+Default Value: None</p></li>
+<li><p><code>--ssh-pub-key arg</code>
+SSH public key file for this new user
+Default Value: None</p></li>
+<li><p><code>--self</code>
+Add yourself as a trusted sysadmin by choosing among the public keys available for the current user.</p></li>
+</ul>
+
+
+<h2><a name="leap-user-ls"></a>leap user ls</h2>
+
+<p>Lists the configured sysadmins</p>
+
+<h2><a name="leap-user-rm-username"></a>leap user rm USERNAME</h2>
+
+<p>Removes a trusted sysadmin</p>
+
+<h1><a name="leap-vm"></a>leap vm</h1>
+
+<p>Manage remote virtual machines (VMs).</p>
+
+<p>This command provides a convenient way to manage virtual machines. FILTER may be a node filter or the ID of a virtual machine.</p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--auth AUTH</code>
+Choose which authentication credentials to use from the file cloud.json. If omitted, will default to the node&rsquo;s <code>vm.auth</code> property, or the first credentials in cloud.json
+Default Value: None</p></li>
+<li><p><code>--[no-]mock</code>
+Run as simulation, without actually connecting to a cloud provider. If set, &ndash;auth is ignored.</p></li>
+<li><p><code>--[no-]wait</code>
+Wait for servers to start/stop before continuing.</p></li>
+</ul>
+
+
+<h2><a name="leap-vm-add-node_name-seed"></a>leap vm add NODE_NAME [SEED]</h2>
+
+<p>Allocates a new VM and/or associates it with node NAME.</p>
+
+<p>If node configuration file does not yet exist, it is created with the optional SEED values. You can run this command when the virtual machine already exists in order to update the node&rsquo;s <code>vm.id</code> property.</p>
+
+<h2><a name="leap-vm-bind-node_name-instance_id"></a>leap vm bind NODE_NAME INSTANCE_ID</h2>
+
+<p>Binds a running VM instance to a node configuration.</p>
+
+<p>Afterwards, the VM will be assigned a label matching the node name, and the node config will be updated with the instance ID.</p>
+
+<h2><a name="leap-vm-key-list"></a>leap vm key-list</h2>
+
+<p>Lists the registered SSH public keys for a particular VM provider.</p>
+
+<h2><a name="leap-vm-key-register"></a>leap vm key-register</h2>
+
+<p>Registers a SSH public key for use when creating new VMs.</p>
+
+<p>Note that only people who are creating new VM instances need to have their key registered.</p>
+
+<h2><a name="leap-vm-rm-filter"></a>leap vm rm [FILTER]</h2>
+
+<p>Destroys one or more VMs</p>
+
+<h2><a name="leap-vm-start-filter"></a>leap vm start [FILTER]</h2>
+
+<p>Starts one or more VMs</p>
+
+<h2><a name="leap-vm-status-filter"></a>leap vm status [FILTER]</h2>
+
+<p>Print the status of all VMs</p>
+
+<h2><a name="leap-vm-stop-filter"></a>leap vm stop [FILTER]</h2>
+
+<p>Shuts down one or more VMs</p>
+
+<p>This keeps the storage allocated. To save resources, run <code>leap vm rm</code> instead.</p>
+
</div>
</div>
</body>
diff --git a/docs/en/guide/commands/index.html b/docs/en/guide/commands/index.html
index ec1785f8..fbb77d87 100644
--- a/docs/en/guide/commands/index.html
+++ b/docs/en/guide/commands/index.html
@@ -127,7 +127,7 @@ Command Line Reference - LEAP Platform Documentation
<a href="index.html#global-options">Global Options</a>
</li>
<li>
- <a href="index.html#leap-add-user-username">leap add-user USERNAME</a>
+ <a href="index.html#leap-add-user">leap add-user</a>
</li>
<li>
<a href="index.html#leap-cert">leap cert</a>
@@ -136,12 +136,18 @@ Command Line Reference - LEAP Platform Documentation
<a href="index.html#leap-cert-ca">leap cert ca</a>
</li>
<li>
- <a href="index.html#leap-cert-csr">leap cert csr</a>
+ <a href="index.html#leap-cert-csr-domain">leap cert csr DOMAIN</a>
</li>
<li>
<a href="index.html#leap-cert-dh">leap cert dh</a>
</li>
<li>
+ <a href="index.html#leap-cert-register">leap cert register</a>
+ </li>
+ <li>
+ <a href="index.html#leap-cert-renew-domain">leap cert renew DOMAIN</a>
+ </li>
+ <li>
<a href="index.html#leap-cert-update-filter">leap cert update FILTER</a>
</li>
</ol>
@@ -178,9 +184,6 @@ Command Line Reference - LEAP Platform Documentation
</ol>
</li>
<li>
- <a href="index.html#leap-debug-filter">leap debug FILTER</a>
- </li>
- <li>
<a href="index.html#leap-deploy-filter">leap deploy FILTER</a>
</li>
<li>
@@ -212,6 +215,9 @@ Command Line Reference - LEAP Platform Documentation
<a href="index.html#leap-history-filter">leap history FILTER</a>
</li>
<li>
+ <a href="index.html#leap-info-filter">leap info FILTER</a>
+ </li>
+ <li>
<a href="index.html#leap-inspect-file">leap inspect FILE</a>
</li>
<li>
@@ -221,19 +227,19 @@ Command Line Reference - LEAP Platform Documentation
<a href="index.html#leap-local">leap local</a>
<ol>
<li>
- <a href="index.html#leap-local-destroy-filter">leap local destroy [FILTER]</a>
+ <a href="index.html#leap-local-ls-filter">leap local ls [FILTER]</a>
</li>
<li>
<a href="index.html#leap-local-reset-filter">leap local reset [FILTER]</a>
</li>
<li>
- <a href="index.html#leap-local-save-filter">leap local save [FILTER]</a>
+ <a href="index.html#leap-local-rm-filter">leap local rm [FILTER]</a>
</li>
<li>
- <a href="index.html#leap-local-start-filter">leap local start [FILTER]</a>
+ <a href="index.html#leap-local-save-filter">leap local save [FILTER]</a>
</li>
<li>
- <a href="index.html#leap-local-status-filter">leap local status [FILTER]</a>
+ <a href="index.html#leap-local-start-filter">leap local start [FILTER]</a>
</li>
<li>
<a href="index.html#leap-local-stop-filter">leap local stop [FILTER]</a>
@@ -264,6 +270,12 @@ Command Line Reference - LEAP Platform Documentation
</ol>
</li>
<li>
+ <a href="index.html#leap-open-name">leap open NAME</a>
+ </li>
+ <li>
+ <a href="index.html#leap-run-command-filter">leap run COMMAND FILTER</a>
+ </li>
+ <li>
<a href="index.html#leap-scp-file1-file2">leap scp FILE1 FILE2</a>
</li>
<li>
@@ -283,6 +295,49 @@ Command Line Reference - LEAP Platform Documentation
<li>
<a href="index.html#leap-tunnel-local_portnameremote_port">leap tunnel [LOCAL_PORT:]NAME:REMOTE_PORT</a>
</li>
+ <li>
+ <a href="index.html#leap-user">leap user</a>
+ <ol>
+ <li>
+ <a href="index.html#leap-user-add-username">leap user add USERNAME</a>
+ </li>
+ <li>
+ <a href="index.html#leap-user-ls">leap user ls</a>
+ </li>
+ <li>
+ <a href="index.html#leap-user-rm-username">leap user rm USERNAME</a>
+ </li>
+ </ol>
+ </li>
+ <li>
+ <a href="index.html#leap-vm">leap vm</a>
+ <ol>
+ <li>
+ <a href="index.html#leap-vm-add-node_name-seed">leap vm add NODE_NAME [SEED]</a>
+ </li>
+ <li>
+ <a href="index.html#leap-vm-bind-node_name-instance_id">leap vm bind NODE_NAME INSTANCE_ID</a>
+ </li>
+ <li>
+ <a href="index.html#leap-vm-key-list">leap vm key-list</a>
+ </li>
+ <li>
+ <a href="index.html#leap-vm-key-register">leap vm key-register</a>
+ </li>
+ <li>
+ <a href="index.html#leap-vm-rm-filter">leap vm rm [FILTER]</a>
+ </li>
+ <li>
+ <a href="index.html#leap-vm-start-filter">leap vm start [FILTER]</a>
+ </li>
+ <li>
+ <a href="index.html#leap-vm-status-filter">leap vm status [FILTER]</a>
+ </li>
+ <li>
+ <a href="index.html#leap-vm-stop-filter">leap vm stop [FILTER]</a>
+ </li>
+ </ol>
+ </li>
</ol></div>
<p>The command &ldquo;leap&rdquo; can be used to manage a bevy of servers running the LEAP platform from the comfort of your own home.</p>
@@ -311,9 +366,11 @@ Skip prompts and assume &ldquo;yes&rdquo;.</p></li>
</ul>
-<h1><a name="leap-add-user-username"></a>leap add-user USERNAME</h1>
+<h1><a name="leap-add-user"></a>leap add-user</h1>
+
+<p>Manage trusted sysadmins (DEPRECATED)</p>
-<p>Adds a new trusted sysadmin by adding public keys to the &ldquo;users&rdquo; directory.</p>
+<p>Use <code>leap user add</code> instead</p>
<p><strong>Options</strong></p>
@@ -339,7 +396,7 @@ Add yourself as a trusted sysadmin by choosing among the public keys available f
<p>See see what values are used in the generation of the certificates (like name and key size), run <code>leap inspect provider</code> and look for the &ldquo;ca&rdquo; property. To see the details of the created certs, run <code>leap inspect &lt;file&gt;</code>.</p>
-<h2><a name="leap-cert-csr"></a>leap cert csr</h2>
+<h2><a name="leap-cert-csr-domain"></a>leap cert csr DOMAIN</h2>
<p>Creates a CSR for use in buying a commercial X.509 certificate.</p>
@@ -383,6 +440,16 @@ Default Value: None</p></li>
<p>Creates a Diffie-Hellman parameter file, needed for forward secret OpenVPN ciphers.</p>
+<h2><a name="leap-cert-register"></a>leap cert register</h2>
+
+<p>Register an authorization key with the CA letsencrypt.org</p>
+
+<p>This only needs to be done once.</p>
+
+<h2><a name="leap-cert-renew-domain"></a>leap cert renew DOMAIN</h2>
+
+<p>Renews a certificate using the CA letsencrypt.org</p>
+
<h2><a name="leap-cert-update-filter"></a>leap cert update FILTER</h2>
<p>Creates or renews a X.509 certificate/key pair for a single node or all nodes, but only if needed.</p>
@@ -447,12 +514,6 @@ Default Value: None</p></li>
</ul>
-<h1><a name="leap-debug-filter"></a>leap debug FILTER</h1>
-
-<p>Output debug information.</p>
-
-<p>The FILTER can be the name of a node, service, or tag.</p>
-
<h1><a name="leap-deploy-filter"></a>leap deploy FILTER</h1>
<p>Apply recipes to a node or set of nodes.</p>
@@ -548,6 +609,12 @@ Show last deploy only</p></li>
</ul>
+<h1><a name="leap-info-filter"></a>leap info FILTER</h1>
+
+<p>Prints information regarding facts, history, and running processes for a node or nodes.</p>
+
+<p>The FILTER can be the name of a node, service, or tag.</p>
+
<h1><a name="leap-inspect-file"></a>leap inspect FILE</h1>
<p>Prints details about a file. Alternately, the argument FILE can be the name of a node, service or tag.</p>
@@ -585,16 +652,20 @@ Include disabled nodes in the list.</p></li>
<p>Manage local virtual machines.</p>
-<p>This command provides a convient way to manage Vagrant-based virtual machines. If FILTER argument is missing, the command runs on all local virtual machines. The Vagrantfile is automatically generated in &lsquo;test/Vagrantfile&rsquo;. If you want to run vagrant commands manually, cd to &lsquo;test&rsquo;.</p>
+<p>This command provides a convenient way to manage Vagrant-based virtual machines. If FILTER argument is missing, the command runs on all local virtual machines. The Vagrantfile is automatically generated in &lsquo;test/Vagrantfile&rsquo;. If you want to run vagrant commands manually, cd to &lsquo;test&rsquo;.</p>
-<h2><a name="leap-local-destroy-filter"></a>leap local destroy [FILTER]</h2>
+<h2><a name="leap-local-ls-filter"></a>leap local ls [FILTER]</h2>
-<p>Destroys the virtual machine(s), reclaiming the disk space</p>
+<p>Print the status of local virtual machine(s)</p>
<h2><a name="leap-local-reset-filter"></a>leap local reset [FILTER]</h2>
<p>Resets virtual machine(s) to the last saved snapshot</p>
+<h2><a name="leap-local-rm-filter"></a>leap local rm [FILTER]</h2>
+
+<p>Destroys the virtual machine(s), reclaiming the disk space</p>
+
<h2><a name="leap-local-save-filter"></a>leap local save [FILTER]</h2>
<p>Saves the current state of the virtual machine as a new snapshot</p>
@@ -612,10 +683,6 @@ Default Value: LEAP/jessie</li>
</ul>
-<h2><a name="leap-local-status-filter"></a>leap local status [FILTER]</h2>
-
-<p>Print the status of local virtual machine(s)</p>
-
<h2><a name="leap-local-stop-filter"></a>leap local stop [FILTER]</h2>
<p>Shuts down the virtual machine(s)</p>
@@ -674,13 +741,15 @@ Default Value: None</p></li>
<p>To set nested properties, property name can contain &lsquo;.&rsquo;, like so: <code>leap node add web1 ssh.port:44</code></p>
-<p>Separeate multiple values for a single property with a comma, like so: <code>leap node add mynode services:webapp,dns</code></p>
+<p>Separate multiple values for a single property with a comma, like so: <code>leap node add mynode services:webapp,dns</code></p>
<p><strong>Options</strong></p>
<ul>
-<li><code>--local</code>
-Make a local testing node (by automatically assigning the next available local IP address). Local nodes are run as virtual machines on your computer.</li>
+<li><p><code>--local</code>
+Make a local testing node (by assigning the next available local IP address). Local nodes are run as virtual machines on your computer.</p></li>
+<li><p><code>--vm</code>
+Make a remote virtual machine for this node. Requires a valid cloud.json configuration.</p></li>
</ul>
@@ -698,9 +767,8 @@ Override the default SSH IP address.
Default Value: None</p></li>
<li><p><code>--port PORT</code>
Override the default SSH port.
+This command prepares a server to be used with the LEAP Platform by saving the server&rsquo;s SSH host key, copying the authorized_keys file, installing packages that are required for deploying, and registering important facts. Node init must be run before deploying to a server, and the server must be running and available via the network. This command only needs to be run once, but there is no harm in running it multiple times.
Default Value: None</p></li>
-<li><p><code>--echo</code>
-If set, passwords are visible as you type them (default is hidden)</p></li>
</ul>
@@ -712,6 +780,40 @@ If set, passwords are visible as you type them (default is hidden)</p></li>
<p>Removes all the files related to the node named NAME.</p>
+<h1><a name="leap-open-name"></a>leap open NAME</h1>
+
+<p>Opens useful URLs in a web browser.</p>
+
+<p>NAME can be one or more of: monitor, web, docs, bug</p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--env ENVIRONMENT</code>
+Which environment to use (optional).
+Default Value: None</p></li>
+<li><p><code>--[no-]ip</code>
+To get around HSTS or DNS, open the URL using the IP address instead of the domain (optional).</p></li>
+</ul>
+
+
+<h1><a name="leap-run-command-filter"></a>leap run COMMAND FILTER</h1>
+
+<p>Run a shell command remotely</p>
+
+<p>Runs the specified command COMMAND on each node in the FILTER set. For example, <code>leap run 'uname -a' webapp</code></p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--port SSH_PORT</code>
+Override default SSH port used when trying to connect to the server.
+Default Value: None</p></li>
+<li><p><code>--[no-]stream</code>
+If set, stream the output as it arrives. (default: &ndash;stream for a single node, &ndash;no-stream for multiple nodes)</p></li>
+</ul>
+
+
<h1><a name="leap-scp-file1-file2"></a>leap scp FILE1 FILE2</h1>
<p>Secure copy from FILE1 to FILE2. Files are specified as NODE_NAME:FILE_PATH. For local paths, omit &ldquo;NODE_NAME:&rdquo;.</p>
@@ -778,6 +880,97 @@ Default Value: None</p></li>
</ul>
+<h1><a name="leap-user"></a>leap user</h1>
+
+<p>Manage trusted sysadmins</p>
+
+<p>Manage the trusted sysadmins that are configured in the &lsquo;users&rsquo; directory.</p>
+
+<h2><a name="leap-user-add-username"></a>leap user add USERNAME</h2>
+
+<p>Adds a new trusted sysadmin</p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--pgp-pub-key arg</code>
+OpenPGP public key file for this new user
+Default Value: None</p></li>
+<li><p><code>--ssh-pub-key arg</code>
+SSH public key file for this new user
+Default Value: None</p></li>
+<li><p><code>--self</code>
+Add yourself as a trusted sysadmin by choosing among the public keys available for the current user.</p></li>
+</ul>
+
+
+<h2><a name="leap-user-ls"></a>leap user ls</h2>
+
+<p>Lists the configured sysadmins</p>
+
+<h2><a name="leap-user-rm-username"></a>leap user rm USERNAME</h2>
+
+<p>Removes a trusted sysadmin</p>
+
+<h1><a name="leap-vm"></a>leap vm</h1>
+
+<p>Manage remote virtual machines (VMs).</p>
+
+<p>This command provides a convenient way to manage virtual machines. FILTER may be a node filter or the ID of a virtual machine.</p>
+
+<p><strong>Options</strong></p>
+
+<ul>
+<li><p><code>--auth AUTH</code>
+Choose which authentication credentials to use from the file cloud.json. If omitted, will default to the node&rsquo;s <code>vm.auth</code> property, or the first credentials in cloud.json
+Default Value: None</p></li>
+<li><p><code>--[no-]mock</code>
+Run as simulation, without actually connecting to a cloud provider. If set, &ndash;auth is ignored.</p></li>
+<li><p><code>--[no-]wait</code>
+Wait for servers to start/stop before continuing.</p></li>
+</ul>
+
+
+<h2><a name="leap-vm-add-node_name-seed"></a>leap vm add NODE_NAME [SEED]</h2>
+
+<p>Allocates a new VM and/or associates it with node NAME.</p>
+
+<p>If node configuration file does not yet exist, it is created with the optional SEED values. You can run this command when the virtual machine already exists in order to update the node&rsquo;s <code>vm.id</code> property.</p>
+
+<h2><a name="leap-vm-bind-node_name-instance_id"></a>leap vm bind NODE_NAME INSTANCE_ID</h2>
+
+<p>Binds a running VM instance to a node configuration.</p>
+
+<p>Afterwards, the VM will be assigned a label matching the node name, and the node config will be updated with the instance ID.</p>
+
+<h2><a name="leap-vm-key-list"></a>leap vm key-list</h2>
+
+<p>Lists the registered SSH public keys for a particular VM provider.</p>
+
+<h2><a name="leap-vm-key-register"></a>leap vm key-register</h2>
+
+<p>Registers a SSH public key for use when creating new VMs.</p>
+
+<p>Note that only people who are creating new VM instances need to have their key registered.</p>
+
+<h2><a name="leap-vm-rm-filter"></a>leap vm rm [FILTER]</h2>
+
+<p>Destroys one or more VMs</p>
+
+<h2><a name="leap-vm-start-filter"></a>leap vm start [FILTER]</h2>
+
+<p>Starts one or more VMs</p>
+
+<h2><a name="leap-vm-status-filter"></a>leap vm status [FILTER]</h2>
+
+<p>Print the status of all VMs</p>
+
+<h2><a name="leap-vm-stop-filter"></a>leap vm stop [FILTER]</h2>
+
+<p>Shuts down one or more VMs</p>
+
+<p>This keeps the storage allocated. To save resources, run <code>leap vm rm</code> instead.</p>
+
</div>
</div>
</body>
diff --git a/docs/en/guide/keys-and-certificates.html b/docs/en/guide/keys-and-certificates.html
index ee7d2699..f5f83066 100644
--- a/docs/en/guide/keys-and-certificates.html
+++ b/docs/en/guide/keys-and-certificates.html
@@ -165,7 +165,7 @@ Keys and Certificates - LEAP Platform Documentation
<a href="keys-and-certificates/index.html#client-certificates">Client certificates</a>
</li>
<li>
- <a href="keys-and-certificates/index.html#commercial-certificates">Commercial certificates</a>
+ <a href="keys-and-certificates/index.html#signed-certificates">Signed certificates</a>
</li>
<li>
<a href="keys-and-certificates/index.html#examine-certs">Examine Certs</a>
@@ -173,16 +173,13 @@ Keys and Certificates - LEAP Platform Documentation
</ol>
</li>
<li>
- <a href="keys-and-certificates/index.html#lets-encrypt-certificate">Let’s Encrypt certificate</a>
+ <a href="keys-and-certificates/index.html#lets-encrypt">Let’s Encrypt</a>
<ol>
<li>
- <a href="keys-and-certificates/index.html#install-the-official-acme-client">Install the official acme client</a>
+ <a href="keys-and-certificates/index.html#creating-a-certificate">Creating a certificate</a>
</li>
<li>
- <a href="keys-and-certificates/index.html#fetch-cert">Fetch cert</a>
- </li>
- <li>
- <a href="keys-and-certificates/index.html#deploy-the-certs">Deploy the certs</a>
+ <a href="keys-and-certificates/index.html#renewing-a-certificate">Renewing a certificate</a>
</li>
</ol>
</li>
@@ -351,9 +348,9 @@ leap deploy
<p>There are two types of client certificates: limited and unlimited. A client using a limited cert will have its bandwidth limited to the rate specified by <code>provider.service.bandwidth_limit</code> (in Bytes per second). An unlimited cert is given to the user if they authenticate and the user&rsquo;s service level matches one configured in <code>provider.service.levels</code> without bandwidth limits. Otherwise, the user is given a limited client cert.</p>
-<h2><a name="commercial-certificates"></a>Commercial certificates</h2>
+<h2><a name="signed-certificates"></a>Signed certificates</h2>
-<p>We strongly recommend that you use a commercial signed server certificate for your primary domain (in other words, a certificate with a common name matching whatever you have configured for <code>provider.domain</code>). This provides several benefits:</p>
+<p>We strongly recommend that the primary domain for your provider has a certificate signed by a &ldquo;trusted CA&rdquo; (e.g. A Certificate Authority that is trusted by the web browsers and in the Debian <code>ca-certificates</code> package). This provides several benefits:</p>
<ol>
<li>When users visit your website, they don&rsquo;t get a scary notice that something is wrong.</li>
@@ -362,28 +359,38 @@ leap deploy
</ol>
-<p>The LEAP platform is designed so that it assumes you are using a commercial cert for the primary domain of your provider, but all other servers are assumed to use non-commercial certs signed by the Server CA you create.</p>
+<p>The LEAP platform is designed so that it assumes you are using a certificate signed by a &ldquo;trusted CA&rdquo; for the primary domain of your provider, but all other servers are assumed to use certs signed by the Server CA you create.</p>
<p>To generate a CSR, run:</p>
-<pre><code>leap cert csr
+<pre><code>leap cert csr [DOMAIN]
</code></pre>
-<p>This command will generate the CSR and private key matching <code>provider.domain</code> (you can change the domain with <code>--domain=DOMAIN</code> switch). It also generates a server certificate signed with the Server CA. You should delete this certificate and replace it with a real one once it is created by your commercial CA.</p>
+<p>This command will generate the CSR and private key matching <code>provider.domain</code> or use DOMAIN. It also generates a server certificate signed with the Server CA. You should delete this certificate and replace it with a real one you get back from a &ldquo;trusted CA&rdquo;.</p>
<p>The related commercial cert files are:</p>
<pre><code>files/
cert/
- domain.org.crt # Server certificate for domain.org, obtained by commercial CA.
- domain.org.csr # Certificate signing request
- domain.org.key # Private key for you certificate
- commercial_ca.crt # The CA cert obtained from the commercial CA.
+ domain.org.crt # Server certificate for domain.org, obtained from
+ # the trusted CA (this file is initially signed with
+ # the Server CA, but you should replace it).
+ domain.org.csr # Certificate signing request (PEM format)
+ domain.org.key # Private key for you certificate (PEM format)
+ commercial_ca.crt # DEPRECATED: The certificate chain obtained from
+ # the trusted CA (PEM format)
</code></pre>
<p>The private key file is extremely sensitive and care should be taken with its provenance.</p>
-<p>If your commercial CA has a chained CA cert, you should be OK if you just put the <strong>last</strong> cert in the chain into the <code>commercial_ca.crt</code> file. This only works if the other CAs in the chain have certs in the debian package <code>ca-certificates</code>, which is the case for almost all CAs.</p>
+<p>A few notes on the certificate chain:</p>
+
+<ul>
+<li>A certificate is basically just a key signed by another key. In x.509, the signing key might be signed by yet another key, and so on, all the way to a &lsquo;root&rsquo; key. It is the root key that a browser trusts or is in the Debian <code>ca-certificates</code> package. The chain is the set of all the keys from the root to the end certificate.</li>
+<li>For TLS, both the server and the client need the full chain from the certificate to the CA&rsquo;s root.</li>
+<li>The full chain should be appended in the file <code>domain.org.crt</code> after the server certificate. The chain can also live in <code>commercial_ca.crt</code>, but this is deprecated.</li>
+</ul>
+
<p>If you want to add additional fields to the CSR, like country, city, or locality, you can configure these values in provider.json like so:</p>
@@ -405,74 +412,38 @@ leap deploy
<pre><code>$ leap inspect files/ca/ca.crt
</code></pre>
-<h1><a name="lets-encrypt-certificate"></a>Let’s Encrypt certificate</h1>
-
-<p>LEAP plans to integrate <a href="https://letsencrypt.org/">Let&rsquo;s Encrypt</a> support, so it will be even easier to receive X.509 certificates that are accepted by all browsers.
-Until we achieve this, here&rsquo;s a guide how to do this manually.</p>
-
-<h2><a name="install-the-official-acme-client"></a>Install the official acme client</h2>
-
-<p>Log in to your webapp node</p>
-
-<pre><code>server$ git clone https://github.com/certbot/certbot
-server$ cd certbot
-server$ ./certbot-auto --help
-</code></pre>
-
-<h2><a name="fetch-cert"></a>Fetch cert</h2>
-
-<p>Stop apache so the letsencrypt client can bind to port 80:</p>
-
-<pre><code>server$ systemctl stop apache2
-</code></pre>
-
-<p>Fetch the certs</p>
+<h1><a name="lets-encrypt"></a>Let’s Encrypt</h1>
-<pre><code>server$ ./certbot-auto certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
-</code></pre>
-
-<p>This will put the certs and keys into <code>/etc/letsencrypt/live/DOMAIN/</code>.</p>
+<p>Let&rsquo;s Encrypt is a free &ldquo;trusted CA&rdquo;. You can obtain signed certificates from Let&rsquo;s Encrypt very easily using the LEAP command line, so long as you have first set up DNS correctly.</p>
-<p>Now, go to your workstation&rsquo;s provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.</p>
-
-<pre><code>workstation$ cd PATH_TO_PROVIDER_CONFIG
-</code></pre>
+<h2><a name="creating-a-certificate"></a>Creating a certificate</h2>
-<p>Copy the Certificate</p>
+<p>For example:</p>
-<pre><code>workstation$ scp root@SERVER:/etc/letsencrypt/live/DOMAIN/cert.pem files/cert/dev.pixelated-project.org.crt
+<pre><code>workstation$ leap cert register
+workstation$ leap cert csr demo.bitmask.net
+workstation$ leap cert renew demo.bitmask.net
+workstation$ leap deploy
</code></pre>
-<p>Copy the private key</p>
+<p>Some notes:</p>
-<pre><code>workstation$ scp root@SERVER:/etc/letsencrypt/live/DOMAIN/privkey.pem files/cert/DOMAIN.key
-</code></pre>
-
-<p>Copy the CA chain cert</p>
+<ol>
+<li>You only need to run <code>leap cert register</code> once. Registering will save the Let&rsquo;s Encrypt account key to <code>files/ca/lets-encrypt-account.key</code>. If you delete this file, just run <code>leap cert register</code> again.</li>
+<li>Let&rsquo;s Encrypt support requires that you have already platform 0.9 or later.</li>
+<li>This requires that the DNS records are correct for the domain.</li>
+</ol>
-<pre><code>workstation$ scp root@SERVER:/etc/letsencrypt/live/DOMAIN/fullchain.pem files/cert/commercial_ca.crt
-</code></pre>
-<h2><a name="deploy-the-certs"></a>Deploy the certs</h2>
+<h2><a name="renewing-a-certificate"></a>Renewing a certificate</h2>
-<p>Now you only need to deploy the certs</p>
+<p>Let&rsquo;s Encrypt validations are short lived. You will need to renew the certificate at least once every three months. There is no harm in doing it more regularly, however. You can renew your cert every day if you wanted.</p>
-<pre><code>workstation$ leap deploy
+<pre><code>workstation$ leap cert renew demo.bitmask.net
+workstation$ leap deploy
</code></pre>
-<p>This will put them into the right locations which are:</p>
-
-<ul>
-<li><code>/etc/x509/certs/leap_commercial.crt</code> for the certificate</li>
-<li><code>/etc/x509/./keys/leap_commercial.key</code> for the private key</li>
-<li><code>/usr/local/share/ca-certificates/leap_commercial_ca.crt</code> for the CA chain cert.</li>
-</ul>
-
-
-<p>Start apache2 again</p>
-
-<pre><code>server$ systemctl start apache2
-</code></pre>
+<p>There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.</p>
</div>
</div>
diff --git a/docs/en/guide/keys-and-certificates/index.html b/docs/en/guide/keys-and-certificates/index.html
index 4775de5a..016a03a7 100644
--- a/docs/en/guide/keys-and-certificates/index.html
+++ b/docs/en/guide/keys-and-certificates/index.html
@@ -165,7 +165,7 @@ Keys and Certificates - LEAP Platform Documentation
<a href="index.html#client-certificates">Client certificates</a>
</li>
<li>
- <a href="index.html#commercial-certificates">Commercial certificates</a>
+ <a href="index.html#signed-certificates">Signed certificates</a>
</li>
<li>
<a href="index.html#examine-certs">Examine Certs</a>
@@ -173,16 +173,13 @@ Keys and Certificates - LEAP Platform Documentation
</ol>
</li>
<li>
- <a href="index.html#lets-encrypt-certificate">Let’s Encrypt certificate</a>
+ <a href="index.html#lets-encrypt">Let’s Encrypt</a>
<ol>
<li>
- <a href="index.html#install-the-official-acme-client">Install the official acme client</a>
+ <a href="index.html#creating-a-certificate">Creating a certificate</a>
</li>
<li>
- <a href="index.html#fetch-cert">Fetch cert</a>
- </li>
- <li>
- <a href="index.html#deploy-the-certs">Deploy the certs</a>
+ <a href="index.html#renewing-a-certificate">Renewing a certificate</a>
</li>
</ol>
</li>
@@ -351,9 +348,9 @@ leap deploy
<p>There are two types of client certificates: limited and unlimited. A client using a limited cert will have its bandwidth limited to the rate specified by <code>provider.service.bandwidth_limit</code> (in Bytes per second). An unlimited cert is given to the user if they authenticate and the user&rsquo;s service level matches one configured in <code>provider.service.levels</code> without bandwidth limits. Otherwise, the user is given a limited client cert.</p>
-<h2><a name="commercial-certificates"></a>Commercial certificates</h2>
+<h2><a name="signed-certificates"></a>Signed certificates</h2>
-<p>We strongly recommend that you use a commercial signed server certificate for your primary domain (in other words, a certificate with a common name matching whatever you have configured for <code>provider.domain</code>). This provides several benefits:</p>
+<p>We strongly recommend that the primary domain for your provider has a certificate signed by a &ldquo;trusted CA&rdquo; (e.g. A Certificate Authority that is trusted by the web browsers and in the Debian <code>ca-certificates</code> package). This provides several benefits:</p>
<ol>
<li>When users visit your website, they don&rsquo;t get a scary notice that something is wrong.</li>
@@ -362,28 +359,38 @@ leap deploy
</ol>
-<p>The LEAP platform is designed so that it assumes you are using a commercial cert for the primary domain of your provider, but all other servers are assumed to use non-commercial certs signed by the Server CA you create.</p>
+<p>The LEAP platform is designed so that it assumes you are using a certificate signed by a &ldquo;trusted CA&rdquo; for the primary domain of your provider, but all other servers are assumed to use certs signed by the Server CA you create.</p>
<p>To generate a CSR, run:</p>
-<pre><code>leap cert csr
+<pre><code>leap cert csr [DOMAIN]
</code></pre>
-<p>This command will generate the CSR and private key matching <code>provider.domain</code> (you can change the domain with <code>--domain=DOMAIN</code> switch). It also generates a server certificate signed with the Server CA. You should delete this certificate and replace it with a real one once it is created by your commercial CA.</p>
+<p>This command will generate the CSR and private key matching <code>provider.domain</code> or use DOMAIN. It also generates a server certificate signed with the Server CA. You should delete this certificate and replace it with a real one you get back from a &ldquo;trusted CA&rdquo;.</p>
<p>The related commercial cert files are:</p>
<pre><code>files/
cert/
- domain.org.crt # Server certificate for domain.org, obtained by commercial CA.
- domain.org.csr # Certificate signing request
- domain.org.key # Private key for you certificate
- commercial_ca.crt # The CA cert obtained from the commercial CA.
+ domain.org.crt # Server certificate for domain.org, obtained from
+ # the trusted CA (this file is initially signed with
+ # the Server CA, but you should replace it).
+ domain.org.csr # Certificate signing request (PEM format)
+ domain.org.key # Private key for you certificate (PEM format)
+ commercial_ca.crt # DEPRECATED: The certificate chain obtained from
+ # the trusted CA (PEM format)
</code></pre>
<p>The private key file is extremely sensitive and care should be taken with its provenance.</p>
-<p>If your commercial CA has a chained CA cert, you should be OK if you just put the <strong>last</strong> cert in the chain into the <code>commercial_ca.crt</code> file. This only works if the other CAs in the chain have certs in the debian package <code>ca-certificates</code>, which is the case for almost all CAs.</p>
+<p>A few notes on the certificate chain:</p>
+
+<ul>
+<li>A certificate is basically just a key signed by another key. In x.509, the signing key might be signed by yet another key, and so on, all the way to a &lsquo;root&rsquo; key. It is the root key that a browser trusts or is in the Debian <code>ca-certificates</code> package. The chain is the set of all the keys from the root to the end certificate.</li>
+<li>For TLS, both the server and the client need the full chain from the certificate to the CA&rsquo;s root.</li>
+<li>The full chain should be appended in the file <code>domain.org.crt</code> after the server certificate. The chain can also live in <code>commercial_ca.crt</code>, but this is deprecated.</li>
+</ul>
+
<p>If you want to add additional fields to the CSR, like country, city, or locality, you can configure these values in provider.json like so:</p>
@@ -405,74 +412,38 @@ leap deploy
<pre><code>$ leap inspect files/ca/ca.crt
</code></pre>
-<h1><a name="lets-encrypt-certificate"></a>Let’s Encrypt certificate</h1>
-
-<p>LEAP plans to integrate <a href="https://letsencrypt.org/">Let&rsquo;s Encrypt</a> support, so it will be even easier to receive X.509 certificates that are accepted by all browsers.
-Until we achieve this, here&rsquo;s a guide how to do this manually.</p>
-
-<h2><a name="install-the-official-acme-client"></a>Install the official acme client</h2>
-
-<p>Log in to your webapp node</p>
-
-<pre><code>server$ git clone https://github.com/certbot/certbot
-server$ cd certbot
-server$ ./certbot-auto --help
-</code></pre>
-
-<h2><a name="fetch-cert"></a>Fetch cert</h2>
-
-<p>Stop apache so the letsencrypt client can bind to port 80:</p>
-
-<pre><code>server$ systemctl stop apache2
-</code></pre>
-
-<p>Fetch the certs</p>
+<h1><a name="lets-encrypt"></a>Let’s Encrypt</h1>
-<pre><code>server$ ./certbot-auto certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
-</code></pre>
-
-<p>This will put the certs and keys into <code>/etc/letsencrypt/live/DOMAIN/</code>.</p>
+<p>Let&rsquo;s Encrypt is a free &ldquo;trusted CA&rdquo;. You can obtain signed certificates from Let&rsquo;s Encrypt very easily using the LEAP command line, so long as you have first set up DNS correctly.</p>
-<p>Now, go to your workstation&rsquo;s provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.</p>
-
-<pre><code>workstation$ cd PATH_TO_PROVIDER_CONFIG
-</code></pre>
+<h2><a name="creating-a-certificate"></a>Creating a certificate</h2>
-<p>Copy the Certificate</p>
+<p>For example:</p>
-<pre><code>workstation$ scp root@SERVER:/etc/letsencrypt/live/DOMAIN/cert.pem files/cert/dev.pixelated-project.org.crt
+<pre><code>workstation$ leap cert register
+workstation$ leap cert csr demo.bitmask.net
+workstation$ leap cert renew demo.bitmask.net
+workstation$ leap deploy
</code></pre>
-<p>Copy the private key</p>
+<p>Some notes:</p>
-<pre><code>workstation$ scp root@SERVER:/etc/letsencrypt/live/DOMAIN/privkey.pem files/cert/DOMAIN.key
-</code></pre>
-
-<p>Copy the CA chain cert</p>
+<ol>
+<li>You only need to run <code>leap cert register</code> once. Registering will save the Let&rsquo;s Encrypt account key to <code>files/ca/lets-encrypt-account.key</code>. If you delete this file, just run <code>leap cert register</code> again.</li>
+<li>Let&rsquo;s Encrypt support requires that you have already platform 0.9 or later.</li>
+<li>This requires that the DNS records are correct for the domain.</li>
+</ol>
-<pre><code>workstation$ scp root@SERVER:/etc/letsencrypt/live/DOMAIN/fullchain.pem files/cert/commercial_ca.crt
-</code></pre>
-<h2><a name="deploy-the-certs"></a>Deploy the certs</h2>
+<h2><a name="renewing-a-certificate"></a>Renewing a certificate</h2>
-<p>Now you only need to deploy the certs</p>
+<p>Let&rsquo;s Encrypt validations are short lived. You will need to renew the certificate at least once every three months. There is no harm in doing it more regularly, however. You can renew your cert every day if you wanted.</p>
-<pre><code>workstation$ leap deploy
+<pre><code>workstation$ leap cert renew demo.bitmask.net
+workstation$ leap deploy
</code></pre>
-<p>This will put them into the right locations which are:</p>
-
-<ul>
-<li><code>/etc/x509/certs/leap_commercial.crt</code> for the certificate</li>
-<li><code>/etc/x509/./keys/leap_commercial.key</code> for the private key</li>
-<li><code>/usr/local/share/ca-certificates/leap_commercial_ca.crt</code> for the CA chain cert.</li>
-</ul>
-
-
-<p>Start apache2 again</p>
-
-<pre><code>server$ systemctl start apache2
-</code></pre>
+<p>There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.</p>
</div>
</div>