[talk] SSL certificates

Tue Sep 12 16:41:59 EDT 2017

> On Sep 12, 2017, at 4:35 PM, Pete Wright <pete at nomadlogic.org> wrote:
> 
> 
> 
> On 09/12/2017 13:18, Dan Langille wrote:
>>> On Sep 12, 2017, at 1:10 PM, Mark Saad <mark.saad at ymail.com <mailto:mark.saad at ymail.com>> wrote:
>> 
>>> one issue i've had with let's encrypt is trying to use it on private 
>>> subdomains on AWS.  iirc the system needs to have a public DNS entry as 
>>> well as access from the internet to work - i might be mistaken tho on 
>>> this...
>> 
>> 
>> I have LE certs for RFC 1918 addresses.  The DNS server I use to validate is a public DNS server, but where
>> you user the cert is not relevant.
>> 
> 
> ah i hadn't thought of that - basically having a bastion host wrangle getting new certs, then you deploy the to the appropriate backend after the CSR is fulfilled?  does the the public server announce the rfc1918 address for a given host, or does it use a dummy public ip?

I use a dns hidden master, a certs jail, a certs website, and two small scripts to copy the certs around.  Keys go manually.

This is an overview.  More specific blog posts on each step also exist.

  https://dan.langille.org/2017/07/04/acme-sh-getting-free-ssl-certificates-installation-configuration-on-freebsd/ <https://dan.langille.org/2017/07/04/acme-sh-getting-free-ssl-certificates-installation-configuration-on-freebsd/>

I go with multiple jails, and three steps. Overkill for some situations, but you can reduce it all to one jail for LE.

Pretty diagram here: https://dan.langille.org/2017/07/15/introducing-anvil-tools-for-distributing-ssl-certificates/ <https://dan.langille.org/2017/07/15/introducing-anvil-tools-for-distributing-ssl-certificates/>

anvil contains the scripts for cert distribution.

-- 
Dan Langille - BSDCan / PGCon
dan at langille.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20170912/f8af6737/attachment.htm>