[tech] SSL on various services with LetsEncrypt

Felix von Perger frekk at ucc.asn.au
Fri Dec 7 18:50:11 AWST 2018 

Hi all,

[CFE] and I worked on enabling / fixing SSL on a bunch of services 
today. This hopefully hasn't broken anything significant.

  * Wiki on mooneye using acmetool
      o acmetool want wiki.ucc.asn.au wiki.ucc.gu.uwa.edu.au
        wikisfa.ucc.gu.uwa.edu.au wikisfa.ucc.asn.au
      o Added redirects to HTTPS versions of the above domains in
        /etc/apache2/sites-enabled/wiki.conf
  * Attempted to migrate AD domain controller host certificates on samson
      o Using certbot and custom scripts calling samba-tool to manually
        update a TXT record for _acme-challenge.ad.ucc.gu.uwa.edu.au
      o In order to allow acme to issue a wildcard certificate for
        *.ad.ucc.gu.uwa.edu.au, the TXT record must be resolvable
        externally;
          + Done by setting allow-recursion {any;} in
            mooneye:/etc/bind/named.conf.options
          + There doesn't seem to be a way to have more fine-grained
            access control to recursion/forwarding queries to forward
            zones while using bind, so this seems like the only option
            that would work
          + It also means that anyone can ask mooneye to do DNS lookups
            for any domain. Is this a bad thing?!
      o It may be possible to request certificates using HTTP port 80 as
        the proof of ownership mechanism - however we cannot generate
        wildcard certificates this way.
          + Nothing else listens on port 80 on AD DCs
          + samson.ad.ucc.gu.uwa.edu.au still needs to be externally
            resolvable - which can only be done in our current software
            configuration by allow-recursion {any;}
  * Proxmox (maltair, medico and loveday) - see
    https://pve.proxmox.com/wiki/Certificate_Management
      o using `pvenode config set --acme
        domains=$HOST.ucc.gu.uwa.edu.au;$HOST.ucc.asn.au`
      o and `pvenode acme cert order`
      o This is also integrated into the Proxmox web UI, and once acme
        is configured it will automatically renew certificates when
        necessary
  * Also planned to generate an SSL certificate for RADIUS (also on
    samson) using HTTP
      o Windows will not break when connecting to wifi if a valid
        (trusted) server certificate is presented for the RADIUS server
        hostname (AFAIK).
      o Note: this can be done using samson.ucc.gu.uwa.edu.au rather
        than samson.ad.ucc.gu.uwa.edu.au (since subdomains of ad.ucc may
        not be resolvable externally)
      o Alternatively RADIUS could be configured to use the same
        wildcard certificate as AD, provided it is possible to generate one.
          + Why not just do that? It /would/ probably work but only if
            the AD wildcard certificates work as well, which they don't
            seem to currently.

Please feel free to contact either myself or [CFE] regarding breakages 
or security hazards introduced by the above changes.

Best regards,
Felix von Perger [FVP]
UCC Wheel Member


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20181207/842f7d3d/attachment.htm

More information about the tech mailing list