Ticket #475 (closed defect: fixed)
Generate a new SSL certificate
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Live server | Keywords: | |
| Cc: | ed | Estimated Number of Hours: | 1.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 1.54 |
Description (last modified by chris) (diff)
We need a new certificate for *.transitionnetwork.org and we need to document how to get one and how to set it up and we might as well do this on the on the wiki:SecurityInfo page.
See the notes for the existing live server wiki:NewLiveServer#HTTPS
Change History
comment:1 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.2
- Total Hours changed from 0.0 to 0.2
comment:2 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.2
- Total Hours changed from 0.2 to 0.4
Generating a new CSR on penguin:
cd /etc/ssl/transitionnetwork.org mkdir 2013 chmod 700 2013 cd 2013 openssl req -nodes -newkey rsa:2048 -keyout transitionnetwork.org.key -out transitionnetwork.org.csr
The only field that needs to be completed is the Common Name and we don't want a password set:
Generating a 2048 bit RSA private key .........+++ ................................+++ writing new private key to 'transitionnetwork.org.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:*.transitionnetwork.org Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
This generates the following two files:
transitionnetwork.org.csr transitionnetwork.org.key
The key must be kept on the server and should only be readable by root, the csr should be pasted into the interface at https://gandi.net/
comment:3 Changed 4 years ago by ed
wildcard ssl certificate ordered from gandi, going through the steps
comment:4 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.35
- Total Hours changed from 0.4 to 0.75
Thanks Ed.
Note for future reference, when entering the CSR at gandi select "Apache/mod-ssl" for the CSR type.
For the verification option we have use the admin@ email address in the past.
Once the certificate has geen generated download it and save it in /etc/ssl/transitionnetwork.org/2013/ as transitionnetwork.org.crt and then generate a .pem file (this might not be needed if we are no longer using apache):
cat transitionnetwork.org.crt > transitionnetwork.org.pem cat transitionnetwork.org.key >> transitionnetwork.org.pem
Generate the gandi.pem file (this only need don't once, it's not needed every year):
wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem cat GandiStandardSSLCA.pem > gandi.pem cat AddTrustExternalCARoot.pem >> gandi.pem cat UTNAddTrustServer_CA.pem >> gandi.pem
Generate the chained pem file for nginx (CHECK FOR WHITESPACE PROBLEMS!):
cat transitionnetwork.org.crt > transitionnetwork.org.chained.pem cat GandiStandardSSLCA.pem >> transitionnetwork.org.chained.pem cat UTNAddTrustServer_CA.pem >> transitionnetwork.org.chained.pem cat AddTrustExternalCARoot.pem >> transitionnetwork.org.chained.pem
comment:5 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.75 to 1.0
Hi Ed
When you copied the "Transition Network" zone file to "Transition Network 1" and added the sub-domain for the SSL certificate verification you also, inadvertently, made it so I can't edit it.
I think that I need to perhaps raise a ticket with gandi regarding the way permissions work on the zone files.
comment:6 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 1.0 to 1.1
OK, this is simply the way gandi works, each time one of us makes an update to a zone file when the other person edited it last we have to copy it (creating a new name for it) and then editi it and then set the domain names to use the new file:
To edit a zone, you need to be logged in under the zonefile' owner. Otherwise you need to first make a copy of the zone so that you own the copy, then you can make changes.
You can see directly from the domain's control panel whether or not the handle you are logged in under can edit a zone.
The solution is to proceed by creating a copy of the zone and then following the instructions here to go through with the normal zonefile edit process.
That is a bit annoying as it means that the zone files names will have to keep changing...
But at least we now know how to do it, I'll update the wiki page wiki:DomainNames to reflect this
comment:7 Changed 4 years ago by ed
i'm handing over to chris to keep it simple as discussed on phone
comment:8 Changed 4 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.44
- Status changed from new to closed
- Resolution set to fixed
- Description modified (diff)
- Total Hours changed from 1.1 to 1.54
I have installed the new certs on puffin and penguin, hopefully I won't need to install the new cert on kiwi or quince as they will have been switched off before 16th Feb.
