TLS certificates

erobinson · August 17, 2019, 6:37pm

What is the correct way to deploy my own TLS certificates to the server? I've got it working via a hack but I'd love to know if there's a correct way to do it using an Ansible playbook or other script.
Thanks!

Simon_Kelly · August 19, 2019, 7:47am

Hi Ed

You can use the letsencrypt_cert.yaml playbook as described here: https://dimagi.github.io/commcare-cloud/howto/enable-https.html

erobinson · August 19, 2019, 11:40am

Hey Simon, thanks for the response. Just to be clear, I'm wanting to use my own certificates, not a letsencrypt cert.

Thanks!

Jon_Emord · August 19, 2019, 2:15pm

Hey Ed

You can copy your certificate into your vault file.

In the vault, create a block such as:

ssl_secrets:
  certs:
    my_site: |
      -----BEGIN CERTIFICATE-----
      ...
  private_keys: 
    my_site: |
      ...

Then in your proxy.yml, set the nginx_combined_cert_value and to that value nginx_key_value to those.

nginx_combined_cert_value: "{{ ssl_secrets.certs.my_site }}"
nginx_key_value: "{{ ssl_secrets.private_keys.my_site }}"

Simon_Kelly · August 19, 2019, 2:54pm

Hi Ed

What @Jon_Emord has said used to be true but we have since removed support for that method. I'm looking to see how much hard it would be to add it back.

Simon_Kelly · August 19, 2019, 4:10pm

I've restored the tasks that put the certificate files in the correct places: restore tasks for custom certs by snopoke · Pull Request #3163 · dimagi/commcare-cloud · GitHub

If you update commcare-cloud and follow Emord's suggestions it should put the cert / key in the places expected by nginx.

erobinson · August 20, 2019, 6:35am

Thanks Simon and Jon, will try that and revert. Appreciate the effort!
Ed

erobinson · September 4, 2019, 11:30am

An update on these instructions - I managed to get it working and had a couple of tips that might help others:

The format of the block in the vault used for the certificate requires each line of the certificate and PK data to be indented:

ssl_secrets:
  certs:
    my_site: |
      -----BEGIN CERTIFICATE-----
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      -----END CERTIFICATE-----
  private_keys: 
    my_site: |
      -----BEGIN PRIVATE KEY-----
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      -----END PRIVATE KEY------

Also, when running the deploy_proxy playbook, it failed consistently the first time run (the check passes fine) at this step and with this error:

RUNNING HANDLER [nginx : check nginx configuration] *********************************************************************************************************************

fatal: [197.211.237.144]: FAILED! => {"changed": true, "cmd": "nginx -t", "delta": "0:00:00.020224", "end": "2019-09-04 10:59:14.553887", "failed_when_result": true, "msg": "non-zero return code", "rc": 1, "start": "2019-09-04 10:59:14.533663", "stderr": "nginx: [emerg] cannot load certificate key \"/etc/pki/tls/private/monolith_nginx_commcarehq.org.key\": PEM_read_bio_PrivateKey() failed (SSL: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode)\nnginx: configuration file /etc/nginx/nginx.conf test failed", "stderr_lines": ["nginx: [emerg] cannot load certificate key \"/etc/pki/tls/private/monolith_nginx_commcarehq.org.key\": PEM_read_bio_PrivateKey() failed (SSL: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode)", "nginx: configuration file /etc/nginx/nginx.conf test failed"], "stdout": "", "stdout_lines": []}

Running the same playbook again succeeds.

EDIT
This failure may relate to an older private key (already written to disk) that was indeed in the wrong format. That said, it's not clear why, after updating the vault with the correct key, it fails on first deploy but not on second.