Update certs

[chadwhitacre]

90 days is almost up! Time for our first (zero-indexed ;) Let's Encrypt! refresh. This is an urgent priority next week, because I'm gone the week after and our certs expire on the 11th.

• Gratipay.com (gittip.co,gittip.com,gratipay.co,gratipay.com,gratipay.net,gratipay.org,www.gittip.co,www.gittip.com,www.gratipay.co,www.gratipay.com,www.gratipay.net,www.gratipay.org)
• grtp.co
• assets.gratipay.com (downloads.gratipay.com)
• update docs: Update TLS cert docs #1059
• rip out ACME Challenger: Rip out ACME Challenger gratipay.com#4452

[clone1018]

Looks like our steps are:

1. Migrate from SSL:Endpoint to Heroku SSL (?)
2. DNS Change to point to new infrastructure
3. Enable https://devcenter.heroku.com/articles/automated-certificate-management#setup

From: https://devcenter.heroku.com/articles/automated-certificate-management#migrating-from-ssl-endpoint

[clone1018]

» heroku certs:info --app gratipay
Fetching SSL certificate ankylosaurus-68672 info for ⬢ gratipay... done
Certificate details:
Common Name(s): gittip.co
                gittip.com
                gratipay.co
                gratipay.com
                gratipay.net
                gratipay.org
                www.gittip.co
                www.gittip.com
                www.gratipay.co
                www.gratipay.com
                www.gratipay.net
                www.gratipay.org
Expires At:     2017-05-11 23:37 UTC
Issuer:         /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At:      2017-02-10 23:37 UTC
Subject:        /CN=gittip.co
SSL certificate is verified by a root authority.

Now that i look at it I think that means we're already on Heroku SSL? If so upgrading should be as simple as heroku certs:auto:enable

 » heroku certs:auto --app gratipay
=== Automatic Certificate Management is disabled on gratipay

[clone1018]

Wonder why our common name is gittip.co

[chadwhitacre]

I think that was a mistake and I meant for it to be gratipay.com.

[clone1018]

Alright from what I can see, we're currently on "Heroku SSL" so we're already completely setup for Heroku's "Automated Certificate Management".

Their instructions say:

Automated Certificate Management uses the same DNS configuration as our existing Heroku SSL (SNI) support. Although it might take some time to verify your DNS configuration, your app will continue to serve your existing SSL certificate while verification is taking place. Your app should continue to remain available at your custom domain throughout the process.

So I think our next step is to hit "I've done this"

[clone1018]

Alright. Research done for gratipay.com, I say we wait till after lunch and then hit the button so we can watch it.

Next up: grtp.co

[clone1018]

Added a checklist at the top

[chadwhitacre]

http://inside.gratipay.com/howto/install-a-tls-certificate

[chadwhitacre]

I'm good to go, @clone1018. 👍

[chadwhitacre]

Actually, we're comparing dig outputs. Mine:

$ dig gratipay.com ANY
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> gratipay.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 3522
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gratipay.com.                  IN      ANY

;; Query time: 8 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon May  8 14:40:01 2017
;; MSG SIZE  rcvd: 30

$

[clone1018]

Mine:

» dig gratipay.com ANY

; <<>> DiG 9.11.1 <<>> gratipay.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15293
;; flags: qr rd ra; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gratipay.com.			IN	ANY

;; ANSWER SECTION:
gratipay.com.		3600	IN	TXT	"v=spf1 include:email.freshdesk.com include:amazonses.com include:_spf.google.com -all"
gratipay.com.		3600	IN	TXT	"ALIAS for gratipay.com.herokudns.com"
gratipay.com.		3600	IN	MX	10 ASPMX.L.GOOGLE.com.
gratipay.com.		3600	IN	MX	20 ALT1.ASPMX.L.GOOGLE.com.
gratipay.com.		3600	IN	MX	30 ASPMX2.GOOGLEMAIL.com.
gratipay.com.		3600	IN	MX	30 ASPMX3.GOOGLEMAIL.com.
gratipay.com.		3600	IN	MX	20 ALT2.ASPMX.L.GOOGLE.com.
gratipay.com.		3600	IN	SOA	ns1.dnsimple.com. admin.dnsimple.com. 1433462702 86400 7200 604800 300
gratipay.com.		3600	IN	A	23.23.160.170
gratipay.com.		3600	IN	A	50.17.187.125
gratipay.com.		3600	IN	A	23.21.185.161
gratipay.com.		3600	IN	A	50.16.231.196
gratipay.com.		3600	IN	A	23.23.159.159
gratipay.com.		3600	IN	A	23.23.194.211
gratipay.com.		3600	IN	A	23.21.145.230
gratipay.com.		3600	IN	A	50.16.192.69
gratipay.com.		3600	IN	NS	ns3.dnsimple.com.
gratipay.com.		3600	IN	NS	ns1.dnsimple.com.
gratipay.com.		3600	IN	NS	ns2.dnsimple.com.
gratipay.com.		3600	IN	NS	ns4.dnsimple.com.

;; Query time: 101 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon May 08 10:47:05 CDT 2017
;; MSG SIZE  rcvd: 569

[chadwhitacre]

Confirmed via dig @ns1.dnsimple.com gratipay.com ANY. Let's do it!

[chadwhitacre]

Spot-checked with gratipay.org, gittip.com, gittip.co and they check out.

[clone1018]

I'm going to start this now via the Heroku Web UI

[chadwhitacre]

From IRL convo: we can remove gittip.org from our cert post-#877.

[clone1018]

I'm seeing the new cert live on gratipay.com:

Valid From: Mon, 08 May 2017 17:25:00 GMT
Valid Until: Sun, 06 Aug 2017 17:25:00 GMT
Issuer: Let's Encrypt Authority X3

[clone1018]

Next steps are moving Common Name to gratipay.com and removing gittip.org and www.gittip.org from our Heroku

[clone1018]

www.gittip.org and gittip.org have been removed. We're now:

[clone1018]

Okay grtp.co is potentially solved at gratipay/grtp.co#173

[clone1018]

Now I'm thinking about MaxCDN. It's a pain in the butt to generate certs locally, reset FTP passwords, upload well-known files and then upload and change certs. I propose we instead switch to their Shared SSL feature.

Instead of using your own certificate, you use the certificate on our server. The upside of Shared SSL is being able to deliver content securely; the downside is not being able to control your certificate type. You must also share an IP address.
https://www.maxcdn.com/one/tutorial/ssl-options/

I'm not seeing us controlling our certificate type. The migration path is to disable SNI and enable Shared SSL

[chadwhitacre]

Sounds good to me, @clone1018. I say go for it.

[clone1018]

It turns out that MaxCDN has a nice hoverstate on the button mentioning that the Shared SSL product cannot work with your own custom domain and you must use their provided domain, eg app-company.netdna-ssl.com. Couldn't find it in their documentation though :(

Gonna start the DNS TXT validation process tomorrow or tonight after the 5K (doubtful)

[chadwhitacre]

DNS for grtp.co happening in gratipay/grtp.co#174 ...

[chadwhitacre]

Done for grtp.co in gratipay/grtp.co#174. Also done for {assets,downloads}. Docs updated in #1059. Now to rip out the ACME challenger ...

[chadwhitacre]

gratipay/gratipay.com#4452

[chadwhitacre]

Deployed, closing!