Overview¶
System architecture¶
A typical certhub deployment consists of one Controller node hosting the
ACME Client (i.e., Certbot
or Lego
) along with the Principal Git
Repository. Multiple TLS Server nodes are used to host TLS Services such as
web servers, mail servers, databases and application servers.
The ACME Client stores certificates optained from the Certificate Authority in the Principal Git Repository. Changes to that repo are replicated to the Local Git Repositories on the TLS Server nodes automatically.
Certificates in the Local Certificate Directory on a TLS Server node are updated automatically whenever new commits are pushed to the Local Git Repository.
TLS Services are reloaded whenever the exported certificate in the Local Certificate Directory is modified.
Note that ACME Account Key is only needed on the Controller node (readable by the ACME Client). Also TLS Private Keys are only deployed on the respective TLS Server nodes and are readable by their respective TLS services exclusively.
Certhub ships with a considerable number of systemd units. All of those are designed as templates. Units used for replication to other nodes use the destination for the template instance string, all other units take a certificate basename as their instance string. The following diagram depicts a typical setup featuring automatic renewal, replication, certificate export and TLS service reload.
Controller node setup process¶
In a typical certhub setup there is only one Controller node. Setting up the Controller isn’t something which is repeated frequently.
In order to setup a new Controller node, the following steps are required. For production deployments it is recommended to use a configuration management system.
On the Controller node:
Install required software including certhub and its dependencies. Also install one of the supported ACME client.
Setup the local unprivileged certhub user account.
Generate an SSH keypair to be used for repository replication.
Initialize the Principal Git Repository.
Create the necessary directory structure including private directory for ACME Account Keys as well as config and state directories.
Create or restore the ACME Account Keys for the installed ACME Client.
TLS Server node setup process¶
In a typical certhub setup there are more than one TLS Server node. Depending on the environment, TLS Server nodes might get deployed regularely.
In order to setup a new TLS Server node, the following steps are required. For production deployments it is recommended to use a configuration management system.
On the TLS Server node:
Install required software including certhub and its dependencies. Do not install any ACME client software on TLS Server nodes.
Setup the local unprivileged certhub user account.
Initialize the Local Git Repository and create the Local Certificate Directory.
Authorize the certhub user on the Controller node to push to the Local Git Repository.
On the Controller node:
Setup systemd units responsible for replicating the Principal Git Repository to the Local Git Repository on the new TLS Server.
TLS Service setup process¶
In a typical certhub setup there are more than one TLS Service. Depending on the environment, TLS Services might get deployed regularely.
The following steps are needed to create a new certificate for a new TLS Service. For production deployments it is recommended to use a configuration management system.
On the TLS Server node:
Generate a new TLS Private Key and Certificate Signing Request (CSCR).
Add a configuration file which specifies the TLS Service(s) to be reloaded whenever the certificate changes in the Local certificate Directory.
Setup systemd units responsible for exporting changed certificates and reloading services.
On the Controller node:
Add the newly generated CSR along with ACME Client specific configuration to the certhub config directory.
Setup systemd units responsible for checking certificate expiry and automatic renewal.