[tech] UCC ssl certificates

[Matt Johnston]

Hi all,

UCC's webserver now requests free SSL certificates from
letsencrypt.org. It's a bit convoluted - wildcard
certificates have dropped in price since I wrote scripts
last week, but it seems to work. 

We're using acmetool [1] to request certificates, it's more
flexible than the official client. 

 - Each night on mussel /home/wheel/bin/acmemembers.py parses
   Apache members.conf to figure which domains need certificates. It
   writes requests to /var/lib/acmetool/desired/ then runs
   acmetool to request the certificates. It tries to put as
   many SAN (subject alternative name) domains in each
   certificate as possible, since Letsencrypt currently have
   a limit of 5 certificates/week/domain (including subdomains).
   See the script for details.

   You can add extra domains like secure.ucc.asn.au to
   /home/other/www/extra-ssl-domains and point the apache
   config to /var/lib/acme/live/{domain}/cert etc. For certs
   on other hosts like mooneye/VMs you could run acmetool
   manually there, or rsync certs over. Beware the weekly
   request limits though!

 - acmetool runs /usr/libexec/acme/hooks/update-sitelist
   which writes a list of SSL-happy domains to
   /home/other/www/acme-sitelist.txt

 - Mooneye's zonemake.py script for member domains now only
   adds a sslcertificate stanza for a domain if it exists in
   acme-sitelist.txt

So everything should happen automatically for new member
domains eventually. If you want to quickly make a member
including https, steps are:

- ucc-adduser member
- zonemake.py once
- restart apache on mussel
- run acmemebers.py
- zonemake.py again to add sslcertificate stanzas
- restart apache on mussel.

Matt

[1] acmetool https://hlandau.github.io/acme/