summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2016-03-29 15:01:02 +0200
committervarac <varacanero@zeromail.org>2016-03-29 15:01:02 +0200
commit1e3ee1876afaa28392713705b8be054f016d80b5 (patch)
tree91b2015f5b78ceb82726db4735542d2179da9bb7
parent81c3c53f5a82a83acfa9071c55a2b039ef679bd2 (diff)
add lets encrypt section
-rw-r--r--pages/docs/platform/guide/keys-and-certificates.md52
1 files changed, 52 insertions, 0 deletions
diff --git a/pages/docs/platform/guide/keys-and-certificates.md b/pages/docs/platform/guide/keys-and-certificates.md
index 092589d..327f8b0 100644
--- a/pages/docs/platform/guide/keys-and-certificates.md
+++ b/pages/docs/platform/guide/keys-and-certificates.md
@@ -208,3 +208,55 @@ Examine Certs
To see details about the keys and certs you can use `leap inspect` like so:
$ leap inspect files/ca/ca.crt
+
+
+Let's encrypt certificate
+=========================
+
+LEAP plans to integrate [Let's encrypt](https://letsencrypt.org/) support to it will be even easier to recieve SSL certificates that are accepted by all browsers.
+Until we achieved this, here's a guide how to do this manually.
+
+Install the official acme client
+--------------------------------
+
+Log in to your webapp node
+
+ server$ git clone https://github.com/letsencrypt/letsencrypt
+ server$ cd letsencrypt
+ server$ ./letsencrypt-auto --help
+
+Fetch cert
+----------
+
+Stop apache so the letsencrypt client can bind to port 80:
+
+ server$ systemctl stop apache2
+
+Fetch the certs
+
+ server$ ./letsencrypt-auto certonly --standalone --email admin@$(hostname -d) -d $(hostname -d) -d api.$(hostname -d) -d $(hostname -f) -d nicknym.$(hostname -d)
+
+This will put the certs and keys into `/etc/letsencrypt/live/DOMAIN/`, from where they need to get copied over to your workstation's provider config directory.
+
+The place where you need to put them in your provider config are:
+
+- Certificate: `/etc/letsencrypt/live/DOMAIN/cert.pem` from the server to `files/cert/dev.pixelated-project.org.crt` in your provider config
+- Private key: `/etc/letsencrypt/live/DOMAIN/privkey.pem` from the server to `files/cert/DOMAIN.key` in your provider config
+- CA Chain cert: `/etc/letsencrypt/live/DOMAIN/fullchain.pem` `files/cert/commercial_ca.crt` in your provider config
+
+Deploy the certs
+----------------
+
+Now you only need to deploy the certs
+
+ workstation$ leap deploy
+
+This will put them into the right locations which are:
+
+- `/etc/x509/certs/leap_commercial.crt` for the certificate
+- `/etc/x509/./keys/leap_commercial.key` for the private key
+- `/usr/local/share/ca-certificates/leap_commercial_ca.crt` for the CA chain cert.
+
+Start apache2 again
+
+ server$ systemctl start apache2