|
1 | | -# Certbot [](LICENSE) |
| 1 | +# Certbot [](LICENSE) [](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md) |
2 | 2 |
|
3 | | -Automatically update TLS Certificates on OpenShift Routes |
4 | | - |
5 | | -- [Assumptions](#assumptions) |
6 | | -- [Solution](#solution) |
7 | | -- [Installation](#installation) |
8 | | -- [Manual Run](#manual-run) |
9 | | -- [Cleanup](#cleanup) |
10 | | -- [Entrust Usage](#entrust-usage) |
11 | | -- [Tips](#tips) |
12 | | -- [References](#references) |
13 | | -- [License](#license) |
14 | | - |
15 | | -## Assumptions |
16 | | - |
17 | | -- Using <https://letsencrypt.org/> for issuing certificates |
18 | | -- Using <https://certbot.eff.org/> for managing (create/renew) certificates |
19 | | -- Run inside OpenShift |
20 | | - |
21 | | -## Solution |
22 | | - |
23 | | -- Create a OpenShift `CronJob` which will run on a regular schedule for renewing TLS certificate if required. |
24 | | - - The `CronJob` will manage a set of required `Service` and `Route`s objects. |
25 | | - - The `CronJob` manages certificates of all routes with a label `certbot-managed=true` |
26 | | - - One certificate will be issued/renewed for all the managed hosts/domains. |
27 | | -- If a cert is created/renewed, apply the new certificate to the related routes |
28 | | - |
29 | | -## Installation |
30 | | - |
31 | | -1. Point to the appropriate namespace (usually tools) |
32 | | - |
33 | | - ``` sh |
34 | | - export NAMESPACE=<YOURNAMESPACE> |
35 | | - |
36 | | - oc project $NAMESPACE |
37 | | - ``` |
38 | | - |
39 | | -1. Install `certbot.bc.yaml` to create the required build objects. |
40 | | - _Note: If the build fails, make sure your namespace contains an NSP allowing '@app:k8s:serviceaccountname=builder' (OCP builders) to access 'ext:network=any' (egress internet)_ |
41 | | - |
42 | | - This template accepts the following parameters (add with -p to the `oc process` command): |
43 | | - |
44 | | - | Parameter | Default Value | Description | |
45 | | - | --- | --- | --- | |
46 | | - | `GIT_REF` | `master` | Git Pull Request or Branch Reference (i.e. 'pull/CHANGE_ID/head') | |
47 | | - | `GIT_URL` | `https://github.com/BCDevOps/certbot.git` | Git Repository URL | |
48 | | - |
49 | | - ``` sh |
50 | | - oc process -n $NAMESPACE -f "https://raw.githubusercontent.com/BCDevOps/certbot/master/openshift/certbot.bc.yaml" | oc apply -n $NAMESPACE -f - |
51 | | - ``` |
| 3 | +[](https://hub.docker.com/r/bcgovimages/certbot) |
| 4 | +[](https://hub.docker.com/r/bcgovimages/certbot) |
| 5 | +[](https://hub.docker.com/r/bcgovimages/certbot) |
52 | 6 |
|
53 | | -1. Install `certbot.dc.yaml` to create the CronJob and supporting objects (NSP, ServiceAccount, RoleBinding, PVC, etc). |
54 | | - This template accepts the following parameters (add with -p to the `oc process` command): |
55 | | - |
56 | | - | Parameter | Default Value | Description | |
57 | | - | --- | --- | --- | |
58 | | - | `CERTBOT_CRON_SCHEDULE` | `0 */12 * * *` | Cronjob Schedule | |
59 | | - | `CERTBOT_STAGING` | `false` (must be `false` for [Entrust](#entrust-usage)) | Self-signed cert renewals | |
60 | | - | `CERTBOT_SUSPEND_CRON` | `false` | Suspend cronjob | |
61 | | - | `CERTBOT_SERVER` | `https://acme-v02.api.letsencrypt.org/directory` (for BC Gov SSL, see [Entrust](#entrust-usage)) | ACME Certbot endpoint | |
62 | | - | `DRYRUN` | `false` | Run without executing | |
63 | | - | `DEBUG` | `false` | Debug mode | |
64 | | - | `DELETE_ACME_ROUTES` | `true` | Self cleanup temporary ACME routes when done | |
65 | | - | `SUBSET` | `true` | Allow domain validation to pass if a subset of them are valid | |
66 | | - | `EMAIL` | For [Entrust](#entrust-usage), Product Owner's `@gov.bc.ca` is suggested | Email where CSR requests are sent to | |
67 | | - | `NAMESPACE` | | Openshift Namespace | |
68 | | - | `IMAGE_REGISTRY` | `image-registry.openshift-image-registry.svc:5000` | Openshift Image Registry | |
69 | | - | `SOURCE_IMAGE_NAME` | `certbot` | Image Name | |
70 | | - | `TAG_NAME` | `latest` | Image Tag | |
71 | | - |
72 | | - - For non-prod environments, you may set `CERTBOT_STAGING=true`, so you don't hit any service limits at Let's Encrypt. |
73 | | - - By default, this template will use Let's Encrypt for certificate generation. If you are just testing, you may use Let's Encrypt testing endpoint `https://acme-staging-v02.api.letsencrypt.org/directory` to avoid being rate limited. |
74 | | - - For your production applications, we strongly recommend **NOT** using Let's Encrypt certificates. Contact your ministry/department to determine best practices for production SSL/TLS certificate management. |
75 | | - - If you are using a certificate provider that gives you extra domains on top of what you have requested (like Entrust), you should make sure that the `SUBSET` option is set to true. Otherwise certificate renewals will always fail because their extra domain will never be managed on our end and choke. If you require stringent domain validation, set `SUBSET` to false explicitly. |
76 | | -
|
77 | | - ``` sh |
78 | | - export CERTBOT_SERVER=<YOURCERTBOTSERVER> |
79 | | - export EMAIL=<some-valid@email.com> |
80 | | -
|
81 | | - oc process -n $NAMESPACE -f "https://raw.githubusercontent.com/BCDevOps/certbot/master/openshift/certbot.dc.yaml" -p EMAIL=$EMAIL -p NAMESPACE=$NAMESPACE -p CERTBOT_SERVER=$CERTBOT_SERVER | oc apply -n $NAMESPACE -f - |
82 | | - ``` |
83 | | -
|
84 | | - _PS: You MUST supply a valid email address!_ |
85 | | -
|
86 | | -To include this cronjob in your pipeline, it is recommended that you copy `certbot.bc.yaml` and `certbot.dc.yaml` to your appliciton project. The build config will point back to this repo to include the latest changes to the contents of the docker folder. _Note: If you are using BCDK, there is a bug in it that requires you to have a "docker" folder in your repo._ |
87 | | -
|
88 | | -## Manual Run |
89 | | -
|
90 | | -If you need to run the CronJob manually, you can do that by running: |
91 | | -
|
92 | | -``` sh |
93 | | -# Delete any previous manual Jobs created |
94 | | -# Note: When there are no jobs to delete, you will get an error for oc delete. |
95 | | -oc get job -n $NAMESPACE -o name | grep -F -e '-manual-' | xargs oc delete -n $NAMESPACE |
96 | | -
|
97 | | -# Create a Job |
98 | | -oc create job -n $NAMESPACE "certbot-manual-$(date +%s)" --from=cronjob/certbot |
99 | | -``` |
100 | | -
|
101 | | -## Cleanup |
102 | | -
|
103 | | -To remove certbot from your namespace, run the following commands. All build related manifests will have a `build=certbot` label, and all cronjob application related manifests will have an `app=certbot` label. |
| 7 | +Automatically update TLS Certificates on OpenShift Routes |
104 | 8 |
|
105 | | -``` sh |
106 | | -export NAMESPACE=<YOURNAMESPACE> |
| 9 | +To learn more about the **Common Services** available visit the [Common Services Showcase](https://bcgov.github.io/common-service-showcase/) page. |
107 | 10 |
|
108 | | -# Delete all manifests generated by certbot.dc.yaml |
109 | | -oc delete cronjob,pvc,rolebinding,sa -n $NAMESPACE --selector app=certbot |
| 11 | +## Directory Structure |
110 | 12 |
|
111 | | -# Delete all manifests generated by certbot.dc.yaml |
112 | | -oc delete all -n $NAMESPACE --selector build=certbot |
| 13 | +```txt |
| 14 | +.github/ - PR and Issue templates |
| 15 | +docker/ - Certbot application Root |
| 16 | +openshift/ - OpenShift-deployment files |
| 17 | +CODE-OF-CONDUCT.md - Code of Conduct |
| 18 | +COMPLIANCE.yaml - BCGov PIA/STRA compliance status |
| 19 | +CONTRIBUTING.md - Contributing Guidelines |
| 20 | +LICENSE - License |
| 21 | +SECURITY.md - Security Policy and Reporting |
113 | 22 | ``` |
114 | 23 |
|
115 | | -## Entrust Usage |
116 | | -
|
117 | | -Entrust is the only approved certificate provider for BC Gov production environments currently. There are a few extra steps required to request certificates from Entrust instead of Let's Encrypt. |
118 | | - |
119 | | -1. Start by creating the deployment config found in the [Installation](#installation) section |
120 | | - |
121 | | -1. Modify the `CERTBOT_SERVER` parameter in the deployment config to use Entrust |
122 | | - |
123 | | - | Parameter | Default Value | Description | |
124 | | - | --- | --- | --- | |
125 | | - | `CERTBOT_SERVER` | `https://www.entrust.net/acme/api/v1/directory/xx-xxxx-xxxx` | Where `xx-xxxx-xxxx` is the directory ID. This value may vary between different ministry organizations. Please contact your organization to determine this value. | |
126 | | - |
127 | | -1. Make sure `CERTBOT_STAGING` is set to `false`. The Entrust server does not have a staging mode |
128 | | - |
129 | | -1. If the Certbot job was previously ran on the same route using Let's Encrypt server then you will need to delete the existing PVC. This will remove old Let's Encrypt files and a new PVC will be created on the next step |
130 | | - |
131 | | -1. Apply the deployment config and run the job manually or by cron trigger. The job logs will display it has failed to obtain the certificates and the route will remain unmodified. This is normal because the request still needs to be approved by your ministry first |
132 | | - |
133 | | -1. In the `EMAIL` inbox you should receive an email from `auto-notice@entrust.com` containing a `Tracking ID`. |
134 | | - |
135 | | -1. At this point you need the appropriate group in your ministry to create an iStore order to approve the certificate request. For NRM teams, please have your PO create a [Service Desk](https://apps.nrs.gov.bc.ca/int/jira/servicedesk/customer/portal/1) request containing the following information. |
136 | | - - Domain for the certificate |
137 | | - - Entrust Tracking ID |
138 | | - - iStore Coding |
139 | | - - Expense Authority |
140 | | - - [Example Service Desk Ticket](https://apps.nrs.gov.bc.ca/int/jira/servicedesk/customer/portal/1/SD-26581) |
141 | | - |
142 | | -1. Once the iStore order has been created you should receive another email from `auto-notice@entrust.com` letting you know the request has been approved |
143 | | - |
144 | | -1. Re-run the job and Certbot should obtain the certificates and install them successfully |
145 | | - |
146 | | -## Tips |
147 | | - |
148 | | -1. If you are going to setup automatic cert renewals for the first time, backup "Certficate", "Private Key" and "CA Certificate" contents from your route. |
149 | | -1. List your cron jobs |
150 | | - |
151 | | - ``` sh |
152 | | - export NAMESPACE=<YOURNAMESPACE> |
153 | | -
|
154 | | - oc get -n $NAMESPACE cronjob |
155 | | - ``` |
156 | | - |
157 | | -1. To describe your cron job |
158 | | - |
159 | | - ``` sh |
160 | | - export NAMESPACE=<YOURNAMESPACE> |
161 | | -
|
162 | | - oc describe -n $NAMESPACE cronjob/certbot |
163 | | - ``` |
164 | | - |
165 | | -1. To see your cron jobs in Openshift GUI: Resources > Other Resources > Job |
166 | | -1. To access the logs for cron jobs in Openshift GUI: Monitoring > Uncheck "Hide older resources". You will see recently terminated certbot that would have terminated based on your schedule. |
167 | | -1. If you are seeing errors in the logs and need to troubleshoot, you can use optional parameters DEBUG and DELETE_ACME_ROUTES. |
168 | | - |
169 | | - ``` sh |
170 | | - export CERTBOT_SERVER=<YOURCERTBOTSERVER> |
171 | | - export EMAIL=<some-valid@email.com> |
172 | | - export NAMESPACE=<YOURNAMESPACE> |
173 | | -
|
174 | | - oc process -n $NAMESPACE -f "https://raw.githubusercontent.com/BCDevOps/certbot/master/openshift/certbot.dc.yaml" -p EMAIL=$EMAIL -p NAMESPACE=$NAMESPACE -p CERTBOT_SERVER=$CERTBOT_SERVER -p CERTBOT_STAGING=false -p DEBUG=true -p DELETE_ACME_ROUTES=false | oc apply -n $NAMESPACE -f - |
175 | | - ``` |
176 | | - |
177 | | - _PS: Ensure that you manually delete the ACME Route and Service after you are done troubleshooting and redeploy without the DEBUG and DELETE_ACME_ROUTES options!_ |
178 | | - |
179 | | -1. If you end up running the setup process multiple times, ensure that you have deleted all the duplicate copies of those cron jobs and only keep the latest one. Or to delete all the certbot jobs and start fresh you can use the below. |
180 | | - |
181 | | - ``` sh |
182 | | - export NAMESPACE=<YOURNAMESPACE> |
183 | | -
|
184 | | - oc get job -n $NAMESPACE -o name | grep -F -e 'certbot' | xargs oc delete |
185 | | - oc get cronjob -n $NAMESPACE -o name | grep -F -e 'certbot' | xargs oc delete |
186 | | - ``` |
187 | | - |
188 | | -1. To suspend a cronjob in your namespace, you can use the below patch command. |
189 | | - |
190 | | - ``` sh |
191 | | - export NAMESPACE=<YOURNAMESPACE> |
| 24 | +## Documentation |
192 | 25 |
|
193 | | - oc patch cronjob -n $NAMESPACE certbot -p '{"spec" : {"suspend" : false }}' |
194 | | - ``` |
| 26 | +* [Docker Readme](docker/README.md) |
| 27 | +* [Security Reporting](SECURITY.md) |
195 | 28 |
|
196 | | -1. To resume a cronjob in your namespace, you can use the below patch command. |
| 29 | +## Getting Help or Reporting an Issue |
197 | 30 |
|
198 | | - ``` sh |
199 | | - export NAMESPACE=<YOURNAMESPACE> |
| 31 | +To report bugs/issues/features requests, please file an [issue](https://github.com/BCDevOps/certbot/issues). |
200 | 32 |
|
201 | | - oc patch cronjob -n $NAMESPACE certbot -p '{"spec" : {"suspend" : true }}' |
202 | | - ``` |
| 33 | +## How to Contribute |
203 | 34 |
|
204 | | -## References |
| 35 | +If you would like to contribute, please see our [contributing](CONTRIBUTING.md) guidelines. |
205 | 36 |
|
206 | | -- <https://certbot.eff.org/docs/using.html#webroot> |
207 | | -- <https://certbot.eff.org/docs/using.html#renewing-certificates> |
208 | | -- <https://letsencrypt.org/> |
209 | | -- <https://letsencrypt.org/how-it-works/> |
210 | | -- <https://certbot.eff.org/> |
211 | | -- <https://github.com/certbot/certbot/issues/2697#issuecomment-242360098> |
212 | | -- <https://www.entrust.net/knowledge-base/technote.cfm?tn=70882> |
| 37 | +Please note that this project is released with a [Contributor Code of Conduct](CODE-OF-CONDUCT.md). By participating in this project you agree to abide by its terms. |
213 | 38 |
|
214 | 39 | ## License |
215 | 40 |
|
216 | | -``` text |
| 41 | +```txt |
217 | 42 | Copyright 2018 Province of British Columbia |
218 | 43 |
|
219 | 44 | Licensed under the Apache License, Version 2.0 (the "License"); |
|
0 commit comments