From 87896a7d79ecfe06d2538e719061d6e75e1d7952 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 Nov 2017 10:05:14 -0500 Subject: Docs: Update docs to prepare for 0.10.0 release Fixes: #8427, #8812 --- docs/en/guide/keys-and-certificates.html | 89 ++++++++++++++++++++++++++ docs/en/guide/keys-and-certificates/index.html | 89 ++++++++++++++++++++++++++ docs/en/guide/virtual-machines.html | 6 ++ docs/en/guide/virtual-machines/index.html | 6 ++ 4 files changed, 190 insertions(+) (limited to 'docs/en/guide') diff --git a/docs/en/guide/keys-and-certificates.html b/docs/en/guide/keys-and-certificates.html index f5f83066..95c08cb9 100644 --- a/docs/en/guide/keys-and-certificates.html +++ b/docs/en/guide/keys-and-certificates.html @@ -181,6 +181,25 @@ Keys and Certificates - LEAP Platform Documentation
  • Renewing a certificate
    • +
  • + Issues +
      +
    1. + Certs already expired +
        +
      1. + Install the official acme client +
        2. +
      2. + Fetch cert +
        3. +
      3. + Deploy the certs +
        4. +
      +
      2. +
    +
    • @@ -445,6 +464,76 @@ workstation$ leap deploy

    There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.

    +

    Issues

    + +

    Certs already expired

    + +

    When a cert is already expired, you can get into a possible deadlock situation on your servers which you can only resolve manually at the moment.

    + +

    Install the official acme client

    + +

    Log in to your webapp node and install the certbot package:

    + +
    server$ apt install -t jessie-backports certbot
+
    + +

    Fetch cert

    + +

    Stop apache so the letsencrypt client can bind to port 80:

    + +
    server$ systemctl stop apache2
+
    + +

    Fetch the certs

    + +
    server$ certbot certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
+
    + +

    This will put the certs and keys into /etc/letsencrypt/live/DOMAIN/.

    + +

    Now, go to your workstation’s provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.

    + +
    workstation$ cd PATH_TO_PROVIDER_CONFIG
+
    + +

    Copy the Certificate

    + +
    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/cert.pem' files/cert/DOMAIN.crt
+
    + +

    Copy the private key

    + +
    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/privkey.pem' files/cert/DOMAIN.key
+
    + +

    Copy the CA chain cert

    + +
    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/fullchain.pem' files/cert/commercial_ca.crt
+
    + +

    Deploy the certs

    + +

    Now you only need to deploy the certs

    + +
    workstation$ leap deploy
+
    + +

    This will put them into the right locations which are:

    + + + + +

    Start apache2 again

    + +
    server$ systemctl start apache2
+
    + +

    Done! In the future please make sure to always renew letsencrypt certificates before they expire ;).

    + diff --git a/docs/en/guide/keys-and-certificates/index.html b/docs/en/guide/keys-and-certificates/index.html index 016a03a7..95279270 100644 --- a/docs/en/guide/keys-and-certificates/index.html +++ b/docs/en/guide/keys-and-certificates/index.html @@ -181,6 +181,25 @@ Keys and Certificates - LEAP Platform Documentation
  • Renewing a certificate
    • +
  • + Issues +
      +
    1. + Certs already expired +
        +
      1. + Install the official acme client +
        2. +
      2. + Fetch cert +
        3. +
      3. + Deploy the certs +
        4. +
      +
      2. +
    +
    • @@ -445,6 +464,76 @@ workstation$ leap deploy

    There is no need to create a new CSR: renewing will reuse the old private key and the old CSR. It is especially important to not create a new CSR if you have advertised public key pins using HPKP.

    +

    Issues

    + +

    Certs already expired

    + +

    When a cert is already expired, you can get into a possible deadlock situation on your servers which you can only resolve manually at the moment.

    + +

    Install the official acme client

    + +

    Log in to your webapp node and install the certbot package:

    + +
    server$ apt install -t jessie-backports certbot
+
    + +

    Fetch cert

    + +

    Stop apache so the letsencrypt client can bind to port 80:

    + +
    server$ systemctl stop apache2
+
    + +

    Fetch the certs

    + +
    server$ certbot certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
+
    + +

    This will put the certs and keys into /etc/letsencrypt/live/DOMAIN/.

    + +

    Now, go to your workstation’s provider configuration directory and copy the newly created files from the server to your local config. You will override existing files so please make a backup before proceeding, or use a version control system to track changes.

    + +
    workstation$ cd PATH_TO_PROVIDER_CONFIG
+
    + +

    Copy the Certificate

    + +
    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/cert.pem' files/cert/DOMAIN.crt
+
    + +

    Copy the private key

    + +
    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/privkey.pem' files/cert/DOMAIN.key
+
    + +

    Copy the CA chain cert

    + +
    workstation$ scp 'root@SERVER:/etc/letsencrypt/live/$(hostname -d)/fullchain.pem' files/cert/commercial_ca.crt
+
    + +

    Deploy the certs

    + +

    Now you only need to deploy the certs

    + +
    workstation$ leap deploy
+
    + +

    This will put them into the right locations which are:

    + + + + +

    Start apache2 again

    + +
    server$ systemctl start apache2
+
    + +

    Done! In the future please make sure to always renew letsencrypt certificates before they expire ;).

    + diff --git a/docs/en/guide/virtual-machines.html b/docs/en/guide/virtual-machines.html index c522c181..28be3211 100644 --- a/docs/en/guide/virtual-machines.html +++ b/docs/en/guide/virtual-machines.html @@ -220,6 +220,7 @@ Virtual Machines - LEAP Platform Documentation @@ -245,6 +246,11 @@ leap vm start mynode 
    leap vm add mynode services:webapp tags:seattle vm.options.InstanceType:t2.small
    +

    For an email provider installation, you should specify the following seeds:

    + +
    leap vm add mynode services:webapp,couchdb,soledad,mx
+
    +

    Check to see what the status is of all VMs:

    leap vm status
diff --git a/docs/en/guide/virtual-machines/index.html b/docs/en/guide/virtual-machines/index.html
index 4b2a2e0f..20d45a77 100644
--- a/docs/en/guide/virtual-machines/index.html
+++ b/docs/en/guide/virtual-machines/index.html
@@ -220,6 +220,7 @@ Virtual Machines - LEAP Platform Documentation
 
 
 
 
@@ -245,6 +246,11 @@ leap vm start mynode
 
    leap vm add mynode services:webapp tags:seattle vm.options.InstanceType:t2.small
 
    
 
+
    For an email provider installation, you should specify the following seeds:
    
+
+
    leap vm add mynode services:webapp,couchdb,soledad,mx
+
    
+
 
    Check to see what the status is of all VMs:
    
 
 
    leap vm status
-- 
cgit v1.2.3