diff --git a/certs/.gitignore b/certs/.gitignore deleted file mode 100644 index d1386810..00000000 --- a/certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -*.csr -*.key diff --git a/certs/README.md b/certs/README.md deleted file mode 100644 index d0d7a809..00000000 --- a/certs/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# Certificates - -The subdirectories contain the certificate request configurations for the -project, by domain. Each subdirectory is named as `/YYYY-MM` where `YYYY-MM` -is the date that the request was made. - -The keys and certificates are stored in a shared folder in Keeper and the latest -is stored in the Ansible vault. - -## Generate a new certificate request - -- Make a new directory named using the current year/month in the format above. -- Copy the previous certificate request configuration file (*.cnf) to the new directory - -The next step depends on whether you already have a key. If you have an existing key, run: - -```sh -openssl req -nodes -new -key [SERVER_NAME].key -out [SERVER_NAME].csr -config [SERVER_NAME].cnf -``` - -If you need to generate a new key, run: - -```sh -openssl req -nodes -new -newkey rsa:4096 -keyout [SERVER_NAME].key -out [SERVER_NAME].csr -config [SERVER_NAME].cnf -``` - -where `[SERVER_NAME]` should be replaced by the domain name of the server. - -## Installing the new certificate chain - -The certificate authority will return the certificate chain in a variety of different formats and -combinations. For use with our Traefik proxy select the "Certificate (w/ issuer after), PEM encoded" -bundle. Update the relevant Ansible vault with the new content. diff --git a/certs/analytics.isis.cclrc.ac.uk/2025-06/analytics_isis_cclrc_ac_uk.cnf b/certs/analytics.isis.cclrc.ac.uk/2025-06/analytics_isis_cclrc_ac_uk.cnf deleted file mode 100644 index 616d1c03..00000000 --- a/certs/analytics.isis.cclrc.ac.uk/2025-06/analytics_isis_cclrc_ac_uk.cnf +++ /dev/null @@ -1,11 +0,0 @@ -#################################################################### -[ req ] -distinguished_name = req_distinguished_name -prompt = no - -[ req_distinguished_name ] -C = GB -ST = Wiltshire -O = UK Research and Innovation -OU = STFC -CN = analytics.isis.cclrc.ac.uk diff --git a/certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf b/certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf deleted file mode 100644 index 7c5f0ed4..00000000 --- a/certs/dev-analytics.isis.cclrc.ac.uk/2026-01/dev-analytics_isis_cclrc_ac_uk.cnf +++ /dev/null @@ -1,11 +0,0 @@ -#################################################################### -[ req ] -distinguished_name = req_distinguished_name -prompt = no - -[ req_distinguished_name ] -C = GB -ST = Wiltshire -O = UK Research and Innovation -OU = STFC -CN = dev-analytics.isis.cclrc.ac.uk diff --git a/docs-devel/deployment/index.md b/docs-devel/deployment/index.md index 45a88220..f6e2e8fd 100644 --- a/docs-devel/deployment/index.md +++ b/docs-devel/deployment/index.md @@ -42,3 +42,7 @@ Once deployed the services are available at: | Lakekeeper UI | | | Superset (accelerator) | | | Superset (experiment_ops) | | + +## Certificates + +See [certificates](certificates.md) for details on certificate management. diff --git a/docs-devel/readme.md b/docs-devel/readme.md index cd1589a3..f609cff8 100644 --- a/docs-devel/readme.md +++ b/docs-devel/readme.md @@ -16,7 +16,6 @@ the future. ```text . -├── certs/ # Certificate request configurations used for HTTPS/SSL ├── docs/ # User-facing documentation site (MkDocs). See docs/src for content. ├── docs-devel/ # Developer documentation (this directory). ├── elt-common/ # Reusable Python package with common ELT helpers used by the warehouses diff --git a/infra/ansible/.gitignore b/infra/ansible/.gitignore index 9cf16516..5ca521da 100644 --- a/infra/ansible/.gitignore +++ b/infra/ansible/.gitignore @@ -4,3 +4,4 @@ condaenv/ galaxy_roles *.ini inventory.yml +*.csr diff --git a/infra/ansible/site_csr.yml b/infra/ansible/site_csr.yml new file mode 100644 index 00000000..462af265 --- /dev/null +++ b/infra/ansible/site_csr.yml @@ -0,0 +1,14 @@ +--- +- name: Generate certificate signing request + hosts: localhost + gather_facts: false + tasks: + - name: Generate an OpenSSL Certificate Signing Request + community.crypto.openssl_csr: + path: "{{ csr_out_path }}" + privatekey_content: "{{ vault_tls_key }}" + country_name: GB + state_or_province_name: Wiltshire + organization_name: UK Research and Innovation + organizational_unit_name: STFC + common_name: "{{ top_level_domain }}"