[tech] Wildcard SSL/TLS certificates on core servers

[David Adam]

On Mon, 13 May 2019, David Adam wrote:
> We've been using Let's Encrypt to get free SSL certificates since it 
> launched, including for all member domains [1]. We settled on acmetool as 
> the most sensible client at the time.
> 
> Two things have changed:
>  - the ACMEv1 protocol is being deprecated, and acmetool does not yet 
>    support ACMEv2 and appears to no longer be actively maintained [2]
>  - wildcard certificates are available through Let's Encrypt, requiring 
>    DNS-01 challenges and a client that support ACMEv2.
> 
<snip> 
> I'll start adding these certificates to the various SSL services on Motsugo,
> Mussel, and Mooneye. The only service which definitely can't use a wildcard is
> the IPsec VPN [5], so the magic secure.ucc certificate mechanisms probably need
> to remain in place for now (but I'll look at adding that to the DNS 
> configurator as well).

I've migrated all domains and services on Mussel, Motsugo, Mooneye and
Murasoi (Web, SMTP/POP3, IMAP and IPsec) away from acmetool-issued
certificates to certbot-issued certificates. I've also moved Gitlab to
using the internal Let's Encrypt machinery rather than acmetool.

Finally, I disabled the certificate magic in
/home/wheel/bin/acmemembers.py and zonemake - we just use plain wildcard
certificates for user domains now.

Instructions on how to set things up for new machines or domains are
at https://wiki.ucc.asn.au/SSLCertificates

David Adam
zanchey@