-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add lambda common layer and openssl docs
- Loading branch information
Showing
4 changed files
with
50 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| # Lambda Common Layer | ||
|
|
||
| :::note | ||
| The Lambda Common Layer `.env` file typically does not need to be renewed, but in rare cases you may have to do so (e.g. if you moved from Travis CI to Github Actions), so I have included the documentation for it below. | ||
| ::: | ||
|
|
||
| The Lambda Common Layer is a lambda layer used in most SO web applications to facilitate session handling, DB access and web responses. You can view the code for this in the [following repo](https://github.com/OSU-Sustainability-Office/lambda-common-layer). | ||
|
|
||
| Encrypted `.env`: | ||
| To prevent our access credentials from leaking we encrypt our `.env` file in our repository. The secrets can be viewed [here (must be paid OSU SO employee)](https://drive.google.com/file/d/1sTPdFUINTAz3VjnqNsootABAuxoG3DOA/view?usp=sharing) | ||
|
|
||
| To generate new encryption key: | ||
| openssl enc -aes-256-cbc -k secret -P -md sha1 | ||
|
|
||
| (Any values below with angled brackets, e.g. `<key>` should be read as a stand-in value, please substitute your own value without brackets) | ||
|
|
||
| Encrypting the file: | ||
| `openssl enc -aes-256-cbc -K <key> -iv <iv> -in .env -out .env.enc` | ||
|
|
||
| Decrypting the file: | ||
| `openssl aes-256-cbc -K <key> -iv <iv> -in .env.enc -out .env -d` | ||
|
|
||
| Couldn’t someone perform a known-plaintext crib attack? | ||
| No? Well, Maybe? I have no idea! This should probably be secure given that it would take an inordinate amount of time to brute-force AES-256-CBC but also maybe there’s some more effective methods given that an attacker could probably guess the format of the .env file generally. This was mostly a method of protecting secrets that was added back in 2018-19 when the dominant way of storing access credentials relied on .env files. A better process probably involves using AWS Secrets which automatically rotates access tokens. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # OpenSSL | ||
|
|
||
| :::info | ||
| **Recurring Task**: The OpenSSL certificates must be renewed every 2 years, as noted below. | ||
| ::: | ||
|
|
||
| HTTPS is enabled for our API using SSL certificates obtained via the [InCommon SSL Certificate Request Form](https://is.oregonstate.edu/webform/incommon-ssl-certificate-request-preferred-ssl-option). This will need to be done periodically as our SSL certificates expire 2 years after they are issued. | ||
|
|
||
| It is critical that these certificates (and the certificates in our certificate chain) do not expire. If one or more certificates expire, our Acquisuite Data Acquisition Servers will not be able to connect to the Energy Dashboard data upload API endpoint. They use an older version of OpenSSL that will fail if any certificate in our certificate chain expires. | ||
|
|
||
| It is pretty easy to determine if a certificate expiry is causing data upload errors. Typical signs include: | ||
|
|
||
| - All of the Acquisuites stop uploading on the same day, at the same time (the time of certificate expiry). | ||
| - The Acquisuites continue to upload data to Leviton/Obvius BMO. | ||
| - A website, such as [this one](https://www.sslshopper.com/ssl-checker.html), identifies a bad certificate in our cert chain. | ||
| - All of our web applications continue to operate normally (sans the real-time energy data). This is because modern browsers will ignore situations where only one certificate in the certificate chain has expired. | ||
|
|
||
| To resolve these issues, generate a new private key and CSR (certificate signing request). Fill our the InCommon form and request a new certificate. You will be contacted via email and will be asked to provide the CSR. Once you have received the new certificates, upload the certificate data in AWS’s Certificate Management portal. Do not delete the private key! You’ll need to include the certificate chain in the import. | ||
|
|
||
| Command to generate CSR: | ||
| `openssl req -new -newkey rsa:2048 -nodes -keyout sustainability.key -out sustainability.csr` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters