SSL Certificates SOP

Every now and then you will need to work with SSL certificate for a Fedora Service.

Creating a CSR for a new server

Know your hostname, ie lists.fedoraproject.org:

export ssl_name=<fqdn of host>

Create the cert. 8192 does not work with various boxes so we use 4096 currently.

openssl genrsa -out ${ssl_name}.pem 4096
openssl req -new  -key ${ssl_name}.pem -out $(ssl_name}.csr

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NM
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:Fedora Project
Common Name (eg, your name or your server's hostname)
[]:lists.fedorahosted.org
Email Address []:admin@fedoraproject.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

send the CSR to the signing authority and wait for a cert. place all three into private directory so that you can make certs in the future.

Creating a temporary self-signed certificate

Repeat the steps above but add in the following:

openssl x509 -req -days 30 -in ${ssl_name}.csr -signkey ${ssl_name}.pem -out ${ssl_name}.cert
 Signature ok
 subject=/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora
 Project/CN=lists.fedorahosted.org/emailAddress=admin@fedoraproject.org

Getting Private key

We only want a self-signed certificate to be good for a short time so 30 days sounds good.

Renew a SSL certificate

To renew SSL certificate for existing service you can run ansible playbook from batcave:

ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t <name_of_service>

For example

ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t release-monitoring.org

This will renew the certificates for the service and deploy them on proxies. If some proxies fail during the run, just run the playbook again with limiting it only to proxy that failed. For example if the previous example failed on proxy01 you can run the playbook again like this:

ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t release-monitoring.org -l proxy01\*

This will run the playbook only for proxy01.

Want to help? Learn how to contribute to Fedora Docs