Adding third-party SSL certificate to one domain

andymerrett 2018-03-23 09:20:44 UTC #1

I need to add a paid-for third-party SSL certificate to one of the domains hosted on a Bytemark server.

Other domains are using LetsEncrypt, which I want to stick with.

The client has sent me a .key file, but hasn't told me the provider (of course I can find out if needs be).

I've tried following documentation here: https://symbiosis.bytemark.co.uk/jessie/docs/symbiosis.html#ch-sslreference

but I can only see the explicit instruction for using LetsEncrypt or not using any certificates at all.

For example, it says:

"If you wish to use LetsEncrypt, put "letsencrypt" in config/ssl-provider."

So what do I put in config/ssl-provider (if anything) - the name of the certificate provider?

Do I then just upload the .key into a folder with the same name as the provider (my presumption give that there's a letsencrypt folder) and proceed from there?

Is a separate IP address still a requirement?

aladlow 2018-03-24 23:42:41 UTC #2

To stop Symbiosis trying to generate SSL certificates, you'll need to set config/ssl-provider to false. You can then add the third-party SSL wherever you'd like - perhaps /config/ssl/comodo/, or whatever helps you identify it amongst the rest.

An Apache SSL vhost file might look similar to this:

  SSLCertificateFile           /path/to/ssl.crt
  SSLCertificateKeyFile        /path/to/ssl.key
  SSLCertificateChainFile      /path/to/ssl.chain

SSLCertificateChainFile isn't strictly required (and is deprecated as of Apache 2.4.8). The .crt and .key should be provided by your SSL provider (or sometimes a .pfx which contains all three of the above files).

You shouldn't need an extra IP thanks to SNI, unless you're using a version of Apache older than 2.2.12.

Once you've manually modified the site's Apache vhost file, Symbiosis will skip over it when symbiosis-httpd-configure is ran, unless you append the --force flag - you'll likely not want this vhost file to be overwritten by Symbiosis, so it's worth bearing that in mind.

alphacabbage1 2018-03-26 15:33:55 UTC #3

Presumably, using the 'legacy' location ...

config/ssl.key
config/ssl.bundle
config/ssl.combined

... means that the apache config can be left under symbiosis control.

andymerrett 2018-03-27 05:55:51 UTC #4

Thanks for your help. The new certificate is now safely installed and working.

aladlow 2018-03-27 07:44:12 UTC #5

Good spot!
If config/ssl/current doesn't exist but config/ssl.combined and config/ssl.bundle do then Symbiosis will pick those up instead, without having to manually modify the vhost conf.

andymerrett 2018-03-27 07:46:52 UTC #6

Oh well I've done it the first way suggested. I'm happy with that.

As I haven't bought my own certificates before, I'm curious as to what happens on expiry/renewal. I know I'll need to upload new cert files when renewed, but if renewal takes place early, is the new certificate "backdated" to include days covered by the old certificate?

Or can I have both files residing on the server (named differently of course) and point to both? Or do I have to do a manual switch over (or else concoct some kind of cron job to do it for me) at the time the certificate actually expires?

aladlow 2018-03-27 20:51:06 UTC #7

Backdating would usually be dependant on your provider - I imagine most would be quite happy to extend a new certificate based on the time remaining on your current certificate, but it would probably be best just to confirm with them.

Swapping out paid certificates is generally a manual procedure. Let's Encrypt has a bit of an advantage here with the renew cron task in that it generates new certificates in-place and modifies the symlinks for each domain to point to their new certificate location, without having to modify the Apache vhost file. On the other hand, paid certificates are valid for years, whereas Let's Encrypt requires a renewal every 3 months.

You could have a similar setup with symlinks in your Apache vhost file (perhaps /etc/ssl/domain.com/live/ssl.{key, bundle, combined} pointing to /etc/ssl/domain.com/2018/ which could be moved to /etc/ssl/domain.com/2019 when necessary).

andymerrett 2018-03-28 10:45:21 UTC #8

The client's now requesting a renewed certificate so I'm sure it will be fine.

I've noticed overnight some LetsEncrypt certificates have been generated for the domain in question, again. They're not being used, as the ssl-provider is set 'false', however for tidiness sake is there some file I need to edit to stop these being generated for this domain?

andymerrett 2018-03-28 11:23:23 UTC #9

The manual says "If you wish to disable automatic certificate provisioning entirely, you can put the word false into config/ssl-provider."

I've done this but it's now rebuilt LetsEncrypt certificate, and somehow caused it to take precedence, not only that but it's coming up with a domain mismatch.

I don't want the LE cert at all - ever.

Update: OK what appears to have happened somewhere down the line is the domain in question had lost its symlink from '/etc/apache2/sites-enabled' to '/etc/apache2/sites-available' — I've no idea why! Resetting this solved the issue but I'm pretty sure I didn't do that.