Transition Technology: Ticket #475: Generate a new SSL certificate

hours, totalhours changed

chris — Tue, 22 Jan 2013 16:11:08 GMT

hours changed from 0.0 to 0.2
totalhours changed from 0.0 to 0.2

hours, totalhours changed

chris — Tue, 22 Jan 2013 16:43:39 GMT

hours changed from 0.0 to 0.2
totalhours changed from 0.2 to 0.4

Generating a new CSR on penguin:

cd /etc/ssl/transitionnetwork.org
mkdir 2013
chmod 700 2013
cd 2013
openssl req -nodes -newkey rsa:2048 -keyout transitionnetwork.org.key -out transitionnetwork.org.csr

The only field that needs to be completed is the Common Name and we don't want a password set:

Generating a 2048 bit RSA private key
.........+++
................................+++
writing new private key to 'transitionnetwork.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*.transitionnetwork.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This generates the following two files:

transitionnetwork.org.csr
transitionnetwork.org.key

The key must be kept on the server and should only be readable by root, the csr should be pasted into the interface at https://gandi.net/

ed — Wed, 23 Jan 2013 09:25:13 GMT

wildcard ssl certificate ordered from gandi, going through the steps

hours, totalhours changed

chris — Wed, 23 Jan 2013 09:53:16 GMT

hours changed from 0.0 to 0.35
totalhours changed from 0.4 to 0.75

Thanks Ed.

Note for future reference, when entering the CSR at gandi select "Apache/mod-ssl" for the CSR type.

For the verification option we have use the admin@ email address in the past.

Once the certificate has geen generated download it and save it in /etc/ssl/transitionnetwork.org/2013/ as transitionnetwork.org.crt and then generate a .pem file (this might not be needed if we are no longer using apache):

cat transitionnetwork.org.crt > transitionnetwork.org.pem
cat transitionnetwork.org.key >> transitionnetwork.org.pem

Generate the gandi.pem file (this only need don't once, it's not needed every year):

wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
cat GandiStandardSSLCA.pem > gandi.pem
cat AddTrustExternalCARoot.pem >> gandi.pem
cat UTNAddTrustServer_CA.pem >> gandi.pem

Generate the chained pem file for nginx (CHECK FOR WHITESPACE PROBLEMS!):

cat transitionnetwork.org.crt > transitionnetwork.org.chained.pem
cat GandiStandardSSLCA.pem >> transitionnetwork.org.chained.pem
cat UTNAddTrustServer_CA.pem >> transitionnetwork.org.chained.pem
cat AddTrustExternalCARoot.pem >> transitionnetwork.org.chained.pem

hours, totalhours changed

chris — Wed, 23 Jan 2013 10:16:47 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.75 to 1.0

Hi Ed

When you copied the "Transition Network" zone file to "Transition Network 1" and added the sub-domain for the SSL certificate verification you also, inadvertently, made it so I can't edit it.

I think that I need to perhaps raise a ticket with gandi regarding the way permissions work on the zone files.

hours, totalhours changed

chris — Wed, 23 Jan 2013 10:23:22 GMT

hours changed from 0.0 to 0.1
totalhours changed from 1.0 to 1.1

OK, this is simply the way gandi works, each time one of us makes an update to a zone file when the other person edited it last we have to copy it (creating a new name for it) and then editi it and then set the domain names to use the new file:

To edit a zone, you need to be logged in under the zonefile' owner. Otherwise you need to first make a copy of the zone so that you own the copy, then you can make changes.

You can see directly from the domain's control panel whether or not the handle you are logged in under can edit a zone.

The solution is to proceed by creating a copy of the zone and then following the instructions here to go through with the normal zonefile edit process.

http://wiki.gandi.net/en/dns/faq#cannot-change-zone-file

That is a bit annoying as it means that the zone files names will have to keep changing...

But at least we now know how to do it, I'll update the wiki page wiki:DomainNames to reflect this

ed — Wed, 23 Jan 2013 10:54:59 GMT

i'm handing over to chris to keep it simple as discussed on phone

hours, status, description, totalhours changed; resolution set

chris — Fri, 25 Jan 2013 15:17:56 GMT

hours changed from 0.0 to 0.44
status changed from new to closed
resolution set to fixed
description modified (diff)
totalhours changed from 1.1 to 1.54

I have installed the new certs on puffin and penguin, hopefully I won't need to install the new cert on kiwi or quince as they will have been switched off before 16th Feb.