Managing SSL certificates

A valid SSL certificate is needed to serve the Cantus Database websites securely (over https). Cantus Database obtains certificates through LetsEncrypt and uses the lego client for obtaining those certificates. Cantus Database has ansible playbooks that manage SSL certificates for deployment by:

• ensuring that a certificate exists when the site is deployed to a server
• setting up a cron job that renews the certificate automatically before expiration

The Ansible repository defines a few variables that affect these procedures:

• In group_vars/all/vault.yml:
  • certificate_registration_email: this is the email that is registered with LetsEncrypt and will receive any messages about the certificate from LetsEncrypt.
• In group_vars/staging/main.yml and group_vars/production/main.yml:
  • canonical_hostname: Main hostname of the CantusDB site (e.g. for production, this is cantusdatabase.org). This will become the name of the certificate file issued to Cantus Database
  • alias_hostnames: List of additional valid hostnames for the CantusDB site which will need to be included as valid domains in the certificate.

Management of certificates should only be handled through ansible! Ansible playbooks appropriately configure a simple server for obtaining initial certificates and running lego commands for obtaining and renewing certificates. In short, the relevant sections of the playbooks:

• Check for the existence of certificate and LetsEncrypt account files on the server
• Configure a simple nginx server listening on port 80 to server the acme challenge
• Uses the lego run command to obtain the certificate
• Adds a cron job that runs the lego renew command at an appropriate interval.