ajschmidt commented on a change in pull request #3534: TP Delivery Service Generate SSL update, new letsencrypt generate and… URL: https://github.com/apache/trafficcontrol/pull/3534#discussion_r338655810
########## File path: docs/source/admin/traffic_router.rst ########## @@ -681,8 +681,67 @@ The ordering of certificates within the certificate bundle matters. It must be: To see the ordering of certificates you may have to manually split up your certificate chain and use :manpage:`openssl(1ssl)` on each individual certificate -Suggested Way of Setting up an HTTPS Delivery Service ------------------------------------------------------ +Let's Encrypt +------------- +Let’s Encrypt is a free, automated :abbr:`CA (Certificate Authority)` using :abbr:`ACME (Automated Certificate Management Environment)` protocol. Let's Encrypt performs a domain validation before issuing or renewing a certificate. There are several options for domain validation but for this application the DNS challenge is used in order to receive wildcard certificates. Let's Encrypt sends a token to be used as a TXT record at ``_acme-challenge.domain.example.com`` and after verifying that the token is accessible there, will return the newly generated and signed certificate and key. The basic workflow implemented is: + +#. ``POST`` to Let's Encrypt and receive the DNS challenge token. +#. Traffic Ops stores the DNS challenge in the Traffic Ops database. +#. Traffic Router has a watcher set up to watch for changes in the Traffic Ops database table. +#. When a new record appears, Traffic Router reads it and puts the token from Let's Encrypt as a TXT record at ``_acme-challenge.domain.example.com`` for the specified :term:`Delivery Service`. +#. Let's Encrypt verifies that the correct record is accessible to verify ownership of the domain. Review comment: I think its fine to be explicit here a say that 'Traffic Router temporarily adds a static route to the delivery service and Let's Encrypt continuously attempts to resolve it as a TXT record to verify ownership of the domain. You might also want to comment that DNSSec should be turned on for any CDN using Let's Encrypt to guard against a 'Man in the Middle' interference with this transaction. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services