From 4b1e204c961cd9fa405b8a384daaa8d4f2f6ca54 Mon Sep 17 00:00:00 2001 From: Matyas Selmeci Date: Fri, 16 Aug 2024 17:33:33 -0500 Subject: [PATCH 1/2] Let's Encrypt CA cert docs: use different paths for Pelican/OSDF The Pelican/OSDF configuration does not look for the cert/key in the usual /etc/grid-security location, so update the Let's Encrypt docs to mention the difference. --- docs/security/host-certs/lets-encrypt.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/security/host-certs/lets-encrypt.md b/docs/security/host-certs/lets-encrypt.md index 52e18d796..08d85c6ef 100644 --- a/docs/security/host-certs/lets-encrypt.md +++ b/docs/security/host-certs/lets-encrypt.md @@ -34,6 +34,13 @@ Installation and Obtaining the Initial Certificate 1. Set up hostcert/hostkey links: + If using host certificates for Pelican/OSDF: + :::console + root@host # ln -sf /etc/letsencrypt/live/*/cert.pem /etc/pki/tls/certs/pelican.crt + root@host # ln -sf /etc/letsencrypt/live/*/privkey.pem /etc/pki/tls/private/pelican.key + root@host # chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem + + If using host certificates for other software: :::console root@host # ln -sf /etc/letsencrypt/live/*/cert.pem /etc/grid-security/hostcert.pem root@host # ln -sf /etc/letsencrypt/live/*/privkey.pem /etc/grid-security/hostkey.pem From 5255550fd5b84cd9d254f73f28dabaed26bcaf0e Mon Sep 17 00:00:00 2001 From: Matyas Selmeci Date: Fri, 11 Oct 2024 15:28:44 -0500 Subject: [PATCH 2/2] Let's Encrypt: mention that Pelican needs the full cert chain --- docs/security/host-certs/lets-encrypt.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/security/host-certs/lets-encrypt.md b/docs/security/host-certs/lets-encrypt.md index 08d85c6ef..79257a5e6 100644 --- a/docs/security/host-certs/lets-encrypt.md +++ b/docs/security/host-certs/lets-encrypt.md @@ -36,7 +36,7 @@ Installation and Obtaining the Initial Certificate If using host certificates for Pelican/OSDF: :::console - root@host # ln -sf /etc/letsencrypt/live/*/cert.pem /etc/pki/tls/certs/pelican.crt + root@host # ln -sf /etc/letsencrypt/live/*/fullchain.pem /etc/pki/tls/certs/pelican.crt root@host # ln -sf /etc/letsencrypt/live/*/privkey.pem /etc/pki/tls/private/pelican.key root@host # chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem @@ -46,6 +46,10 @@ Installation and Obtaining the Initial Certificate root@host # ln -sf /etc/letsencrypt/live/*/privkey.pem /etc/grid-security/hostkey.pem root@host # chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem + + Note that Pelican requires the full certificate chain, not just the certificate, + so the pelican.crt symlink needs to point to fullchain.pem, not cert.pem. + 1. Restart services running on port 80 if there were any.