HTTPS

##Magic commands for Let's Encrypt

###To generate a certificate for builds.clementine-player.org:

sudo ./letsencrypt-auto --agree-dev-preview \
    --server https://acme-v01.api.letsencrypt.org/directory \
    -d builds.clementine-player.org \
    -a webroot \
    --webroot-path /var/www/clementine-player.org/builds auth

This will put all the .pem files in /etc/letsencrypt/live/builds.clementine-player.org. Make sure they are symlinked in /etc/apache2/ssl/builds.clementine-player.org.

The certs are configured in the apache config with:

SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/builds.clementine-player.org/cert.pem"
SSLCertificateChainFile "/etc/apache2/ssl/builds.clementine-player.org/chain.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/builds.clementine-player.org/privkey.pem"

This is the same for all of {builds,buildbot,spotify}.clementine-player.org

###data.clementine-player.org

data.clementine-player.org is hosted on appengine so the letsencrypt cert process won't work directly. The magic url (/.well-known/acme-challenge/) is redirected to https://builds.clementine-player.org so that the same process as above can be used with the command:

sudo ./letsencrypt-auto --agree-dev-preview \
    --server https://acme-v01.api.letsencrypt.org/directory \
    -d data.clementine-player.org \
    -a webroot \
    --webroot-path /var/www/clementine-player.org/builds auth

You then need to upload the generated certs to AppEngine. AppEngine expects the private key in a slightly different format though so you first need to generate that:

sudo openssl rsa -in privkey.pem -check | sudo tee rsa-privkey.pem

Then you should upload (you can just cat the files and paste the contents) fullchain.pem and rsa-privkey.pem on the developers console

###SSL Configuration The Apache SSL settings for better security (disabling RC4 & compression, etc.) are:

SSLCompression off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH