You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: services/create_ssl_certs.md
+79-63Lines changed: 79 additions & 63 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,136 +3,153 @@
3
3
## Creating TLS Certificates
4
4
5
5
### For sites on the .princeton.edu domain
6
+
6
7
1. You can create auto-renewing certificates and keys directly on the load balancers for sites in the .princeton.edu domain. You can create a single certificate and key with [playbooks/incommon_certbot.yml](https://github.com/pulibrary/princeton_ansible/blob/main/playbooks/incommon_certbot.yml) or create a single certificate with multiple names and keys with [playbooks/incommon_certbot_multi.yml](https://github.com/pulibrary/princeton_ansible/blob/main/playbooks/incommon_certbot_multi.yml)
7
8
8
9
1. You will need to run the above playbook on each load balancer sequentially
9
10
1. If the certificate already exists you will need to revoke it before running your chosen playbook
10
11
11
12
### For sites outside the Princeton domain
13
+
12
14
1. Create a new entry under [sites](https://github.com/pulibrary/princeton_ansible/blob/dac77a6c2e0f1301201c9b2a63b9ebead5f7b7ac/group_vars/nginxplus/production.yml#L16)
13
15
2. Run the [nginxplus playbook](https://github.com/pulibrary/princeton_ansible/blob/main/playbooks/nginxplus.yml)
14
16
3. Your TLS/SSL cert will be on the production loadbalancer
15
17
4. Verify the files you get back and add them to your server configuration.
16
18
17
19
## Verifying certbot certificate renewals
20
+
18
21
To verify that a certificate on a server will auto-renew:
This command checks all certs that certbot knows about on that server.
23
26
24
27
## Viewing certificates in Sectigo
28
+
25
29
Our certificate management system is Sectigo. Operations folks can [log into Sectigo](https://cert-manager.com/customer/InCommon) using their alias email accounts and individual passwords. We can view certificate status there, but we cannot revoke or renew certificates there.
26
30
27
31
## Manually managed certs list
28
32
29
33
These certs are not managed by our usual process. These certs cover:
34
+
30
35
- sites we do not serve from the load balancers
31
36
- vendor-hosted sites with the '.princeton.edu' extension
37
+
32
38
Many of these certs must be deployed manually. Some must also be renewed manually. If a private key is kept in princeton_ansible, it is encrypted as a file in the `/keys/` directory of the repo.
33
39
34
40
cicognara.org
35
-
Purpose: public site for the Cicognara collection (a collaborative project)
Purpose: secures dataset downloads from a separate server for DSS via a web browser
56
-
Managed: in ServiceNow - John will move to letsencrypt
57
-
Deployed: on the dss2 CentOS VM
58
-
Notes: cannot be a SAN name for the main DSS cert, because we only want to secure this functionality on one machine - can be tricky to maintain because server access requires signing nondisclosure agreements (for protected data)
61
+
*Purpose: secures dataset downloads from a separate server for DSS via a web browser
62
+
*Managed: in ServiceNow - John will move to letsencrypt
63
+
*Deployed: on the dss2 CentOS VM
64
+
*Notes: cannot be a SAN name for the main DSS cert, because we only want to secure this functionality on one machine - can be tricky to maintain because server access requires signing nondisclosure agreements (for protected data)
59
65
60
66
ezproxy.princeton.edu
61
-
Purpose: allows access to journals by confirming Princeton affiliation
62
-
Managed: on ezproxy-prod1 by letsencrypt
63
-
Deployed: in /etc/letsencrypt/live/ezproxy on the ezproxy-prod1 server
67
+
*Purpose: allows access to journals by confirming Princeton affiliation
68
+
*Managed: on ezproxy-prod1 by letsencrypt
69
+
*Deployed: in /etc/letsencrypt/live/ezproxy on the ezproxy-prod1 server
64
70
65
71
imagecat2.princeton.edu
66
-
Philippe will shut down the server once he has copied whatever we need from it. Once it's gone, we can revoke the cert.
72
+
*Philippe will shut down the server once he has copied whatever we need from it. Once it's gone, we can revoke the cert.
67
73
68
74
lib-aeon.princeton.edu
69
-
Purpose: redirects traffic to hosted Aeon service at https://princeton.aeon.atlas-sys.com
70
-
Managed: for new site by the vendor
71
-
Deployed: to new site by the vendor
72
-
Notes: We would like to redirect the old URL on the load balancers and power off the old lib-aeon machine. The templates for printing Aeon call slips, which used to live on the lib-aeon machine, have been moved to a fileshare called aeonprint on lib-fileshare.
75
+
*Purpose: redirects traffic to hosted Aeon service at <https://princeton.aeon.atlas-sys.com>
76
+
*Managed: for new site by the vendor
77
+
*Deployed: to new site by the vendor
78
+
*Notes: We would like to redirect the old URL on the load balancers and power off the old lib-aeon machine. The templates for printing Aeon call slips, which used to live on the lib-aeon machine, have been moved to a fileshare called aeonprint on lib-fileshare.
73
79
74
80
lib-gisportal.princeton.edu
75
-
Purpose: for maps (Wangyal)
76
-
Managed: in ServiceNow
77
-
Deployed: in IIS on a physical machine that runs MS HyperV virtualization - cluster of lib-geoserv1 and lib-geoserv2 (not the Lib-Gisportal2 VM) server
78
-
Notes: windows physical machine, you must be an admin on the Windows box, expires 2024/07/30
81
+
*Purpose: for maps (Wangyal)
82
+
*Managed: in ServiceNow
83
+
*Deployed: in IIS on a physical machine that runs MS HyperV virtualization - cluster of lib-geoserv1 and lib-geoserv2 (not the Lib-Gisportal2 VM) server
84
+
*Notes: windows physical machine, you must be an admin on the Windows box, expires 2024/07/30
79
85
80
86
lib-illsql.princeton.edu
81
-
Purpose: interlibrary loan
82
-
Managed: in ServiceNow
83
-
Deployed: in IIS, on the lib-illiad-new VM
84
-
Notes: Windows VM; cert has a SAN name of lib-illiad.princeton.edu; we hope to migrate this to a hosted platform in 2024
87
+
*Purpose: interlibrary loan
88
+
*Managed: in ServiceNow
89
+
*Deployed: in IIS, on the lib-illiad-new VM
90
+
*Notes: Windows VM; cert has a SAN name of lib-illiad.princeton.edu; we hope to migrate this to a hosted platform in 2024
85
91
86
92
libserv97.princeton.edu
87
-
Purpose: Philippe's test machine, may disappear in 2024
88
-
Managed: in ServiceNow
89
-
Deployed: directly on the libserv97 VM (dev environment)
93
+
*Purpose: Philippe's test machine, may disappear in 2024
94
+
*Managed: in ServiceNow
95
+
*Deployed: directly on the libserv97 VM (dev environment)
Deployed: on Google cloud at pulmirror.princeton.edu
118
+
*Purpose: distributing Ubuntu packages
119
+
*Managed: Via [Lego](lego.md)
120
+
*Deployed: on Google cloud at pulmirror.princeton.edu
114
121
115
122
recapgfa.princeton.edu
116
-
Purpose: ReCAP inventory management system
117
-
Managed: by ACME directly on the VM
118
-
Deployed: N/A - it automatically renews
123
+
* Purpose: ReCAP inventory management system
124
+
* Managed: by ACME directly on the VM
125
+
* Deployed: N/A - it automatically renews
126
+
127
+
scsb.recaplib.org
128
+
* Purpose: external hosted service for research collections
129
+
* Managed: on DNSimple and Vendor's AWS Certificate Manager
130
+
* Deployed: by vendor and CNAME validation on DNSimple
119
131
120
132
simrisk.pulcloud.io
121
-
Purpose: experimental application for CDH
122
-
Managed: on staging.pulcloud.io by acme-client contacting letsencrypt CA
123
-
Deployed: in /etc/ssl/simrisk.pulcloud.io.fullchain.pem on the staging.pulcloud.io server
124
-
Maintained using `/etc/daily.local` as root
133
+
*Purpose: experimental application for CDH
134
+
*Managed: on staging.pulcloud.io by acme-client contacting letsencrypt CA
135
+
*Deployed: in /etc/ssl/simrisk.pulcloud.io.fullchain.pem on the staging.pulcloud.io server
136
+
*Maintained using `/etc/daily.local` as root
125
137
126
138
tigris.princeton.edu
127
-
Purpose: hosted service for University Records management
128
-
Managed: in ServiceNow, private key is in princeton_ansible
129
-
Deployed: by vendor; to update, email a .pfx file of the cert to [email protected]
139
+
* Purpose: hosted service for University Records management
140
+
* Managed: in ServiceNow, private key is in princeton_ansible
141
+
* Deployed: by vendor; to update, email a .pfx file of the cert to <[email protected]>
142
+
143
+
### scsb
144
+
145
+
If ever there is a change in the application vendor will provide CNAME which can be added to DNSimple configuration
130
146
131
147
#### Tigris
132
148
133
149
In July of every year [tigris.princeton.edu](tigris.princeton.edu) will get an automatic renewal. The following steps will be needed to ensure the certificate remains renewed.
134
-
* Open a ticket with tigris (aka Gimmal) support at [email protected] and ask who should receive the new chained file.
135
-
* You will need the [vaulted private key](https://github.com/pulibrary/princeton_ansible/blob/main/keys/tigris_princeton_edu_priv.key) and the certificate and intermediate certificate to generate a pfx file that you will ship to the vendor
150
+
151
+
- Open a ticket with tigris (aka Gimmal) support at <[email protected]> and ask who should receive the new chained file.
152
+
- You will need the [vaulted private key](https://github.com/pulibrary/princeton_ansible/blob/main/keys/tigris_princeton_edu_priv.key) and the certificate and intermediate certificate to generate a pfx file that you will ship to the vendor
@@ -146,5 +163,4 @@ This will generate a chained file. You will be prompted for a password in the ne
146
163
147
164
Send the resulting file to the tigris support folks via [the Secure Send Portal](https://securesend.princeton.edu/#/) along with the password used above
148
165
149
-
150
166
[1] Subject Alternative Names are used when multiple domains share the same certificate as shown 
0 commit comments