Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let's Encrypt SSL #11

Open
sgrove opened this issue Nov 18, 2020 · 1 comment
Open

Let's Encrypt SSL #11

sgrove opened this issue Nov 18, 2020 · 1 comment
Assignees
@sgrove
Labels
Publish Add this label to an issue to publish it on the blog

Comments

@sgrove
Copy link

sgrove commented Nov 18, 2020

I used Let's Encrypt (LE) to get a nice SSL cert for www.riseos.com (and riseos.com, though I really would like that to simply redirect to www. Someday I'll wrap up all the loose ends).

Going through the process wasn't too bad, but unfortunately it was a bit tedious with the current flow. To pass the automated LE checks, you're supposed to place a random string at a random URL (thus demonstrating that you have control over the domain and are therefore the likely owner). I thought I would do this by responding to the url in my existing OCaml app, but

  1. The deploy feedback cycle is just too long
  2. The SSL cert generated by make secrets doesn't pass work for the check.

In the end I simply switched the DNS records to point to my local machine, opened up my router, and copy/pasted the example python code. Because I use Route53, it was instantaneous. Then after a bit of mucking about with permissions, I copied fullchain1.pem -> secrets/server.pem, and privkey.pem -> secrets/server.key, fixed the dns records, redeployed (now a single script on a local vm + a single script on an EC2 vm), et voila, a working SSL site!

There are some problems with the Let's Encrypt certificate however. The JVM SSL libraries will throw and error when trying to connect to it, saying something like, "unable to find valid certification path to requested target". That transitively affects Apache HttpClient, and therefore clj-http. In the end, I had to pull the cert and insert it into the keystore.

As a side note, the deploy cycle is still too long, and still too involved, but it hugely better than just a week or two ago. I expect to soon be able to remove the EC2 vm entirely, and to be able to run a full, unattended deploy from my VM - or even better, from CircleCI after every push to master. After those sets of paper cuts are healed, I want to do a full deploy on a fresh account, and get the time from initial example-mirage git checkout to running publicly-accesible server (possibly with valid https cert) to under three minutes, on either EC2, Prgmr, or Google Cloud (or Linode/Digital Ocean if anyone knows how to get xen images booting there).
@sgrove sgrove added the Publish Add this label to an issue to publish it on the blog label Nov 18, 2020
@sgrove sgrove self-assigned this Nov 18, 2020
@oneblog-bot
Copy link

View your post at https://sgrove.essay.dev/post/11/lets-encrypt-ssl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgrove sgrove

Labels
Publish Add this label to an issue to publish it on the blog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sgrove @oneblog-bot