Skip to content

Latest commit

 

History

History
130 lines (96 loc) · 4.71 KB

tls-2018-08-03.markdown

File metadata and controls

130 lines (96 loc) · 4.71 KB
Raw

TLS Configuration, last updated: Dec 17, 2021

Dark has many SSL certs and an elaborate history of using different cert providers over the years. This file should contain the important information about our current SSL setup: see the git history for anything else.

Today, we have the following certs, most of which are handled in cert-manager.

  • *.builtwithdark.com, builtwithdark.com: Cert-manager, automatically renewed.
  • static.darklang.com uses Google managed domains (it sits in front of a Cloud Storage bucket, so we can't use cert manager).
  • darklang.com and it's many subdomains (except static.darklang.com): Cert-manager, automatically renewed.
  • customer certs: Cert-manager (using k8s, see darkcustomdomain, other docs mentioning custom-domain). Some customer certs previously used Google-managed SSL, but no longer do.
  • darksa.com, *.darksa.com, darkstaticassets.com, *.darkstaticassets.com: Manually managed SSL cert bought from positive SSL. Needs to be renewed every year in January. The majority of this file is about these.

Our SSL provider is PositiveSSL, with the username [email protected]. In the past, we also used cloudflare, store.sectigo.com and secure.sectigo.com (which are different!)

Cert-manager

Most certificates use Cert-manager. This is a service we run ourselves in k8s, and it manages renewals via Lets Encrypt. We configure customer certs dynamically, adding them to the darkcustomdomain load balancer. We configure most of our certs statically, but cert-manager and Lets Encrypt automatically renew them and update the certs in the appropriate load balancers.

Dark static assets

(Note this does not apply to static.darklang.com, only darksa.com/darkstaticassets.com).

Dark's static assets product hosts assets at darksa.com. This is a Google Cloud Storage bucket, and it cannot be configured by cert-manager (despite some heroic attempts at using config connector). It also connect be configured via Google-managed SSL certs, because those do not allow wildcards.

Instead, we buy certs the old fashioned way: once a year, from Comodo, applying them manually to the load balancer. The following sections need to be done in order.

Buy a cert:

  • Go to the darklang PositiveSSL.com
  • Buy 1 "PositiveSSL DV Multi-Domain", with 1 extra wildcard for *.darksa.com

Create a CSR

Create a file called darksa.com.cnf:

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt=no

[req_distinguished_name]
C=US
ST=California
L=San Francisco
O=Dark Inc
CN=*.darksa.com
[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = darksa.com
DNS.2 = *.darkstaticassets.com
DNS.3 = darkstaticassets.com

(The subjectAltName bit is important, since we want to support all these domains (on one cert, cause it's cheaper))

To create the Certificate Signing Request:

openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout darksa.com.key -out darksa.com.csr -config darksa.com.cnf

This creates two files: darksa.com.key, a new 2048-bit RSA key (please don't lose this, it's important), and darksa.com.csr, the Certificate Signing Request.

Verify with PositiveSSL

  • Go to PositiveSSL dashboard, and click on the new cert.
  • Select "submit certificate request"
  • Paste the csr into the form
  • Fill in the domains on the form
  • Select DNS for all the options.
  • Add the DNS verification to our google cloud DNS
  • The cert will be send by email once the validation has completed

Create the cert

cat 668840050.crt 668840050.ca-bundle > darksa.crt

Store the .crt and .key files in 1Password.

Add the cert to Google

gcloud compute ssl-certificates create darksa-com-wildcard \
    --certificate=./darksa.com.crt --private-key=darksa.com.key \
    --description="darksa.com and *.darksa.com, issued by Comodo CA"

Add the cert to the loadbalancer

Validate it works