🔒SSL

Go to GoDaddy website to buy a new certificate.
After login, go to the Certificates section and click on "gérer".
Buy the new certificate and download the Apache version.
Once unzipped, concatenate both files together (ex: cat 6b287f95fd839a6c.crt gd_bundle-g2-g1.crt > combined.crt).

Then, to change the certificate on clients.luckycycle.com:

cd /etc/nginx/
mkdir ssl2023

After that you need to copy both the server key and the certificate.

cp ssl2022/new_server.key ssl2023/new_server.key
scp combined.crt [email protected]:/etc/nginx/ssl2023/combined.crt

Edit the configuration:

vim /etc/nginx/sites-available/clients.luckycycle.com

Change the path of the certificate on this file and restart nginx:

service nginx restart
/etc/nginx/ssl2022/combined.crt => /etc/nginx/ssl2023/combined.crt

For any Heroku app:

Copy the server.key and update the certificate:

scp [email protected]:/etc/nginx/ssl2022/new_server.key server.key
heroku certs:update combined.crt server.key -a lcbackend
heroku certs:update combined.crt server.key -a lcbeu

For the website (www.luckycycle.com):

Copy the certificate on server and restart Apache:

scp combined.crt [email protected]:/etc/ssl/certs/combined.crt
systemctl restart apache2

For the mon.jeu.leclerc domain:

Update the fol-prod-lucky-cycle-crt secret with the new certificate Leclerc provided us with (.pem) and our own generated key (.key).

Remark: Not recommended, but it's also possible to delete the secret and create a new one with the following commands:

kubectl delete secret fol-prod-lucky-cycle-crt
kubectl create secret tls fol-prod-lucky-cycle-crt --cert=<PATH/TO/CERT/FILE> --key=<PATH/TO/KEY/FILE>

Steps by Guillaume, written by Corentin on 06/01/2023.

For a custom certificate with a single domain:

Run the following command and add your info to generate a .csr and .key files:

openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout cert.key -out cert.csr

C: FR
ST: Val-de-Marne
L: IVRY SUR SEINE
PostalCode: 94200
STREET: 26 QUAI MARCEL BOYER
O: SOC COOPER GROUPEM ACHAT CENTRE LECLERC
N: mon.jeu.leclerc

For a custom certificate with multiple sub-domains (SANs):

Create a cert.conf file with your info:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
ST = Ile de France
L = PARIS
O = ITM Entreprises S.A.S.U
OU = Mousquetaires
CN = www.grandjeu.intermarche.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.grandjeu.intermarche.com
DNS.2 = grandjeu.intermarche.com

Run the following command to generate the .csr and .key files:

openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout cert.key -out cert.csr -config cert.conf

In both cases, the customer must certify the .csr file (keep the .key one to yourself), and provide us with a .cer file (could be one file, or more if they generated intermediate certificates).

Remark: If you receive more than one .cer file, you must bundle them together before going further (you can simply paste them one below the others to do so).

Then, you need to go to Rancher, create a new TLS secret, add both your (bundled) .cer and .key files, and reference its name in the production values.yaml of the ops repository.

To decrypt a generated CSR, simply run:

openssl req -in cert.csr -noout -text

Last updated 8 months ago