Merge tag 'refs/tags/0.10.0' into stable

Release 0.10.0
author: Micah Anderson <micah@riseup.net> 2017-11-28 11:35:01 -0500
committer: Micah Anderson <micah@riseup.net> 2017-11-28 11:35:01 -0500
commit: 0d251e2ceddd3e02ed8bba8725830689dbdd1397 (patch)
tree: 37d7096d9e458ca1e6431dff8a2f571553011c44 /docs/en/guide
parent: 93a181d44e2d8163ae44945aac1b6477e268170d (diff)
parent: bf6c56d86c7ba45e7ca766d990a9e9162025e5ac (diff)
4 files changed, 192 insertions, 2 deletions
diff --git a/docs/en/guide/keys-and-certificates.html b/docs/en/guide/keys-and-certificates.html
index f5f83066..95c08cb9 100644
--- a/docs/en/guide/keys-and-certificates.html
+++ b/docs/en/guide/keys-and-certificates.html
@@ -181,6 +181,25 @@ Keys and Certificates - LEAP Platform Documentation
       <li>
         <a href="keys-and-certificates/index.html#renewing-a-certificate">Renewing a certificate</a>
       </li>
+      <li>
+        <a href="keys-and-certificates/index.html#issues">Issues</a>
+        <ol>
+          <li>
+            <a href="keys-and-certificates/index.html#certs-already-expired">Certs already expired</a>
+            <ol>
+              <li>
+                <a href="keys-and-certificates/index.html#install-the-official-acme-client">Install the official acme client</a>
+              </li>
+              <li>
+                <a href="keys-and-certificates/index.html#fetch-cert">Fetch cert</a>
+              </li>
+              <li>
+                <a href="keys-and-certificates/index.html#deploy-the-certs">Deploy the certs</a>
+              </li>
+            </ol>
+          </li>
+        </ol>
+      </li>
     </ol>
   </li>
 </ol></div>
@@ -445,6 +464,76 @@ workstation$ leap deploy
 
 <p>There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.</p>
 
+<h2><a name="issues"></a>Issues</h2>
+
+<h3><a name="certs-already-expired"></a>Certs already expired</h3>
+
+<p>When a cert is already expired, you can get into a possible deadlock situation on your servers which you can only resolve manually at the moment.</p>
+
+<h4><a name="install-the-official-acme-client"></a>Install the official acme client</h4>
+
+<p>Log in to your webapp node and install the <code>certbot</code> package:</p>
+
+<pre><code>server$ apt install -t jessie-backports certbot
+</code></pre>
+
+<h4><a name="fetch-cert"></a>Fetch cert</h4>
+
+<p>Stop apache so the letsencrypt client can bind to port 80:</p>
+
+<pre><code>server$ systemctl stop apache2
+</code></pre>
+
+<p>Fetch the certs</p>
+
+<pre><code>server$ certbot certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
+</code></pre>
+
+<p>This will put the certs and keys into <code>/etc/letsencrypt/live/DOMAIN/</code>.</p>
+
+<p>Now, go to your workstation&rsquo;s provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.</p>
+
+<pre><code>workstation$ cd PATH_TO_PROVIDER_CONFIG
+</code></pre>
+
+<p>Copy the Certificate</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/cert.pem' files/cert/DOMAIN.crt
+</code></pre>
+
+<p>Copy the private key</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/privkey.pem' files/cert/DOMAIN.key
+</code></pre>
+
+<p>Copy the CA chain cert</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/fullchain.pem' files/cert/commercial_ca.crt
+</code></pre>
+
+<h4><a name="deploy-the-certs"></a>Deploy the certs</h4>
+
+<p>Now you only need to deploy the certs</p>
+
+<pre><code>workstation$ leap deploy
+</code></pre>
+
+<p>This will put them into the right locations which are:</p>
+
+<ul>
+<li><code>/etc/x509/certs/leap_commercial.crt</code> for the certificate</li>
+<li><code>/etc/x509/./keys/leap_commercial.key</code> for the private key</li>
+<li><code>/usr/local/share/ca-certificates/leap_commercial_ca.crt</code> for the CA chain cert.</li>
+</ul>
+
+
+<p>Start apache2 again</p>
+
+<pre><code>server$ systemctl start apache2
+</code></pre>
+
+<p>Done! In the future please make sure to always renew letsencrypt certificates before they expire ;).</p>
+
 </div>
 </div>
 </body>
diff --git a/docs/en/guide/keys-and-certificates/index.html b/docs/en/guide/keys-and-certificates/index.html
index 016a03a7..95279270 100644
--- a/docs/en/guide/keys-and-certificates/index.html
+++ b/docs/en/guide/keys-and-certificates/index.html
@@ -181,6 +181,25 @@ Keys and Certificates - LEAP Platform Documentation
       <li>
         <a href="index.html#renewing-a-certificate">Renewing a certificate</a>
       </li>
+      <li>
+        <a href="index.html#issues">Issues</a>
+        <ol>
+          <li>
+            <a href="index.html#certs-already-expired">Certs already expired</a>
+            <ol>
+              <li>
+                <a href="index.html#install-the-official-acme-client">Install the official acme client</a>
+              </li>
+              <li>
+                <a href="index.html#fetch-cert">Fetch cert</a>
+              </li>
+              <li>
+                <a href="index.html#deploy-the-certs">Deploy the certs</a>
+              </li>
+            </ol>
+          </li>
+        </ol>
+      </li>
     </ol>
   </li>
 </ol></div>
@@ -445,6 +464,76 @@ workstation$ leap deploy
 
 <p>There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.</p>
 
+<h2><a name="issues"></a>Issues</h2>
+
+<h3><a name="certs-already-expired"></a>Certs already expired</h3>
+
+<p>When a cert is already expired, you can get into a possible deadlock situation on your servers which you can only resolve manually at the moment.</p>
+
+<h4><a name="install-the-official-acme-client"></a>Install the official acme client</h4>
+
+<p>Log in to your webapp node and install the <code>certbot</code> package:</p>
+
+<pre><code>server$ apt install -t jessie-backports certbot
+</code></pre>
+
+<h4><a name="fetch-cert"></a>Fetch cert</h4>
+
+<p>Stop apache so the letsencrypt client can bind to port 80:</p>
+
+<pre><code>server$ systemctl stop apache2
+</code></pre>
+
+<p>Fetch the certs</p>
+
+<pre><code>server$ certbot certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
+</code></pre>
+
+<p>This will put the certs and keys into <code>/etc/letsencrypt/live/DOMAIN/</code>.</p>
+
+<p>Now, go to your workstation&rsquo;s provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.</p>
+
+<pre><code>workstation$ cd PATH_TO_PROVIDER_CONFIG
+</code></pre>
+
+<p>Copy the Certificate</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/cert.pem' files/cert/DOMAIN.crt
+</code></pre>
+
+<p>Copy the private key</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/privkey.pem' files/cert/DOMAIN.key
+</code></pre>
+
+<p>Copy the CA chain cert</p>
+
+<pre><code>workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/fullchain.pem' files/cert/commercial_ca.crt
+</code></pre>
+
+<h4><a name="deploy-the-certs"></a>Deploy the certs</h4>
+
+<p>Now you only need to deploy the certs</p>
+
+<pre><code>workstation$ leap deploy
+</code></pre>
+
+<p>This will put them into the right locations which are:</p>
+
+<ul>
+<li><code>/etc/x509/certs/leap_commercial.crt</code> for the certificate</li>
+<li><code>/etc/x509/./keys/leap_commercial.key</code> for the private key</li>
+<li><code>/usr/local/share/ca-certificates/leap_commercial_ca.crt</code> for the CA chain cert.</li>
+</ul>
+
+
+<p>Start apache2 again</p>
+
+<pre><code>server$ systemctl start apache2
+</code></pre>
+
+<p>Done! In the future please make sure to always renew letsencrypt certificates before they expire ;).</p>
+
 </div>
 </div>
 </body>
diff --git a/docs/en/guide/virtual-machines.html b/docs/en/guide/virtual-machines.html
index 5cee9a40..28be3211 100644
--- a/docs/en/guide/virtual-machines.html
+++ b/docs/en/guide/virtual-machines.html
@@ -142,7 +142,7 @@ Virtual Machines - LEAP Platform Documentation
 
 <h2><a name="introduction"></a>Introduction</h2>
 
-<p>You can use the <code>leap</code> command line to easily remote virtual machines.</p>
+<p>You can use the <code>leap</code> command line to easily manage remote virtual machines.</p>
 
 <p>Note: there are two types of virtual machines that <code>leap</code> can handle:</p>
 
@@ -220,6 +220,7 @@ Virtual Machines - LEAP Platform Documentation
 
 <ul>
 <li><a href="https://aws.amazon.com/ec2/instance-types/">Available instance types for AWS</a></li>
+<li><a href="https://aws.amazon.com/pt/blogs/security/wheres-my-secret-access-key/">Where’s My Secret Access Key?</a></li>
 </ul>
 
 
@@ -245,6 +246,11 @@ leap vm start mynode
 <pre><code>leap vm add mynode services:webapp tags:seattle vm.options.InstanceType:t2.small
 </code></pre>
 
+<p>For an email provider installation, you should specify the following seeds:</p>
+
+<pre><code>leap vm add mynode services:webapp,couchdb,soledad,mx
+</code></pre>
+
 <p>Check to see what the status is of all VMs:</p>
 
 <pre><code>leap vm status
diff --git a/docs/en/guide/virtual-machines/index.html b/docs/en/guide/virtual-machines/index.html
index da0da107..20d45a77 100644
--- a/docs/en/guide/virtual-machines/index.html
+++ b/docs/en/guide/virtual-machines/index.html
@@ -142,7 +142,7 @@ Virtual Machines - LEAP Platform Documentation
 
 <h2><a name="introduction"></a>Introduction</h2>
 
-<p>You can use the <code>leap</code> command line to easily remote virtual machines.</p>
+<p>You can use the <code>leap</code> command line to easily manage remote virtual machines.</p>
 
 <p>Note: there are two types of virtual machines that <code>leap</code> can handle:</p>
 
@@ -220,6 +220,7 @@ Virtual Machines - LEAP Platform Documentation
 
 <ul>
 <li><a href="https://aws.amazon.com/ec2/instance-types/">Available instance types for AWS</a></li>
+<li><a href="https://aws.amazon.com/pt/blogs/security/wheres-my-secret-access-key/">Where’s My Secret Access Key?</a></li>
 </ul>
 
 
@@ -245,6 +246,11 @@ leap vm start mynode
 <pre><code>leap vm add mynode services:webapp tags:seattle vm.options.InstanceType:t2.small
 </code></pre>
 
+<p>For an email provider installation, you should specify the following seeds:</p>
+
+<pre><code>leap vm add mynode services:webapp,couchdb,soledad,mx
+</code></pre>
+
 <p>Check to see what the status is of all VMs:</p>
 
 <pre><code>leap vm status
author	Micah Anderson <micah@riseup.net>	2017-11-28 11:35:01 -0500
committer	Micah Anderson <micah@riseup.net>	2017-11-28 11:35:01 -0500
commit	0d251e2ceddd3e02ed8bba8725830689dbdd1397 (patch)
tree	37d7096d9e458ca1e6431dff8a2f571553011c44 /docs/en/guide
parent	93a181d44e2d8163ae44945aac1b6477e268170d (diff)
parent	bf6c56d86c7ba45e7ca766d990a9e9162025e5ac (diff)