ocket8888 commented on a change in pull request #3534: TP Delivery Service Generate SSL update, new letsencrypt generate and renew API endpoints URL: https://github.com/apache/trafficcontrol/pull/3534#discussion_r372557468
########## File path: docs/source/admin/traffic_router.rst ########## @@ -690,8 +690,70 @@ The ordering of certificates within the certificate bundle matters. It must be: To see the ordering of certificates you may have to manually split up your certificate chain and use :manpage:`openssl(1ssl)` on each individual certificate -Suggested Way of Setting up an HTTPS Delivery Service ------------------------------------------------------ +Let's Encrypt +------------- +Let’s Encrypt is a free, automated :abbr:`CA (Certificate Authority)` using :abbr:`ACME (Automated Certificate Management Environment)` protocol. Let's Encrypt performs a domain validation before issuing or renewing a certificate. There are several options for domain validation but for this application the DNS challenge is used in order to receive wildcard certificates. Let's Encrypt sends a token to be used as a TXT record at ``_acme-challenge.domain.example.com`` and after verifying that the token is accessible there, will return the newly generated and signed certificate and key. The basic workflow implemented is: + +#. ``POST`` to Let's Encrypt and receive the DNS challenge token. +#. Traffic Ops stores the DNS challenge. +#. Traffic Router has a watcher which checks with Traffic Ops for any new challenges or deleted challenges. +#. When a new record appears, Traffic Router temporarily adds a static route for the specified :term:`Delivery Service` with the token from Let's Encrypt at ``_acme-challenge.domain.example.com``. +#. Let's Encrypt continuously attempts to resolve it as a TXT record to verify ownership of the domain. + +.. Note:: DNSSec should be turned on for any CDN using Let's Encrypt to guard against a 'Man in the Middle' interference with this transaction. + +#. Let's Encrypt returns the signed certificate and key to Traffic Ops. +#. Traffic Ops stores the certificate and key in Traffic Vault and removes the DNS challenge record. +#. The Traffic Router watcher removes the TXT record. + +Let's Encrypt can be set up through :file:`/opt/traffic_ops/app/conf/cdn.conf` by updating the following fields: + +.. table:: Fields to update for Let's Encrypt under `lets_encrypt` Review comment: These options should be listed in the new cdn.conf section of the TO admin docs ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services