Transition Technology: Ticket #685: SSL certificate about to expire?

hours, totalhours changed

chris — Fri, 24 Jan 2014 10:05:26 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.0 to 0.1

So sorry I missed this yesterday, yes we need to renew it / get a a new one, I'm on the case now.

The quickest way to do it is probably for Webarchitects to buy it and then invoice the Transition Network for it, is that OK? Or do you want to buy it directly?

hours, status, owner, totalhours changed; cc set

chris — Fri, 24 Jan 2014 10:18:36 GMT

cc sam added
hours changed from 0.0 to 0.25
status changed from new to accepted
owner changed from Chris to chris
totalhours changed from 0.1 to 0.35

Following ticket:475, generating a new CSR on penguin:

sudo -i
cd /etc/ssl/transitionnetwork.org
mkdir 2014
chmod 700 2014
cd 2014
openssl req -nodes -newkey rsa:2048 -keyout transitionnetwork.org.key -out transitionnetwork.org.csr
Generating a 2048 bit RSA private key
...........+++
.............................+++
writing new private key to 'transitionnetwork.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.transitionnetwork.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Due to the time constraints I have placed the order for the new cert, once again so sorry to have missed this yesterday.

hours, totalhours changed

chris — Fri, 24 Jan 2014 10:22:55 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.35 to 0.45

Sam, the reason I didn't get a email about this ticket yesterday is because it was assigned to Chris not chris -- the trac usernames are case sensitive, note the change above, ticket:685#comment:2

Owner changed from Chris to chris

hours, totalhours changed

chris — Fri, 24 Jan 2014 11:08:14 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.45 to 0.55

Sam is your email account working OK or is your email address in Trac incorrect? I got a bounce back from the last comment on this ticket:

<sam.rossiter@transitionnetwork.org>:
host mx1.spamfiltering.com[212.113.130.124] said:
550 no mailbox by that name is currently available (in reply to RCPT TO command)

Still waiting the the cert from gandi / Comodo, it should be through in an hour or two, hopefully sooner.

sam — Fri, 24 Jan 2014 12:01:10 GMT

Hi Chris. Thanks for getting on the case with this.

I don't seem to get any email from trac at all.. The email is correct though.

Thanks

Sam

hours, totalhours changed

chris — Fri, 24 Jan 2014 14:24:58 GMT

hours changed from 0.0 to 0.6
totalhours changed from 0.55 to 1.15

It's finally come through! Saved as transitionnetwork.org.crt

Following ticket:475, generate a chained .pem file:

cd /etc/ssl/transitionnetwork.org/2014
cat transitionnetwork.org.crt > transitionnetwork.org.pem
cat transitionnetwork.org.key >> transitionnetwork.org.pem

Generate the gandi.pem file:

wget http://crt.gandi.net/GandiStandardSSLCA.crt -O GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt -O UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt -O AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
cat GandiStandardSSLCA.pem > gandi.pem
cat AddTrustExternalCARoot.pem >> gandi.pem
cat UTNAddTrustServer_CA.pem >> gandi.pem

Generate the chained pem file for nginx (CHECK FOR WHITESPACE PROBLEMS!):

cat transitionnetwork.org.crt > transitionnetwork.org.chained.pem
cat GandiStandardSSLCA.pem >> transitionnetwork.org.chained.pem
cat UTNAddTrustServer_CA.pem >> transitionnetwork.org.chained.pem
cat AddTrustExternalCARoot.pem >> transitionnetwork.org.chained.pem

Move into place on wiki:PenguinServer:

cd /etc/ssl/transitionnetwork.org
mv transitionnetwork.org* 2013/
mv 2014/* .

Test and restart Nginx:

/etc/init.d/nginx configtest
 [ ok ] Testing nginx configuration:.
/etc/init.d/nginx restart
 [ ok ] Restarting nginx: nginx.

Enable root ssh on wiki:PuffinServer, edit /etc/ssh/sshd_config and change:

PermitRootLogin yes
# PermitRootLogin no

Restart:

/etc/init.d/ssh restart

On wiki:PuffinServer:

sudo -i
cd /etc/ssl/transitionnetwork.org
mkdir 2014

On wiki:PenguinServer:

rsync -av transitionnetwork.org.* puffin:/etc/ssl/transitionnetwork.org/2014/

On wiki:PuffinServer:

cd /etc/ssl/transitionnetwork.org
mkdir 2013
mv transitionnetwork.org* 2013/
mv 2014/* .
chmod 600 transitionnetwork.org.*
/etc/init.d/nginx configtest
  nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
  nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/init.d/nginx restart

Switch off root ssh access on wiki:PuffinServer, edit /etc/init.d/sshd_config:

PermitRootLogin no
#PermitRootLogin yes

And restart:

/etc/init.d/ssh restart

Restart postfix on wiki:PuffinServer:

/etc/init.d/postfix restart
[....] Stopping Postfix Mail Transport Agent: postfix/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
. ok
[....] Starting Postfix Mail Transport Agent: postfixpostconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_tls_cipherlist=EDH:!EXP:!LOW
. ok

Some config needs fixing there...

on wiki:ParrotServer:

sudo -i
cd /etc/ssl/transitionnetwork.org/
mkdir 2013 ; chmod 700 2013
mkdir 2014 ; chmod 700 2014

Edit /etc/ssh/sshd_config and change:

#PermitRootLogin no
PermitRootLogin yes

Restart:

/etc/init.d/ssh restart
 [ ok ] Restarting OpenBSD Secure Shell server: sshd.

On wiki:PenguinServer:

rsync -av transitionnetwork.org.* parrot:/etc/ssl/transitionnetwork.org/2014/
  sending incremental file list
  transitionnetwork.org.chained.pem
  transitionnetwork.org.crt
  transitionnetwork.org.csr
  transitionnetwork.org.key
  transitionnetwork.org.pem
  sent 14848 bytes  received 107 bytes  29910.00 bytes/sec
  total size is 14521  speedup is 0.97

On wiki:ParrotServer:

cd /etc/ssl/transitionnetwork.org
mv transitionnetwork.org.* 2013/
mv 2014/* .
chmod 600 transitionnetwork.org.*
apache2ctl configtest
  Syntax OK
/etc/init.d/apache2 restart
  [ ok ] Restarting web server: apache2 ... waiting .

attachment set

chris — Fri, 24 Jan 2014 14:37:12 GMT

attachment set to Qualys SSL Labs - Projects - SSL Server Test - transitionnetwork.org.png

attachment set

chris — Fri, 24 Jan 2014 14:41:27 GMT

attachment set to Qualys SSL Labs - Projects - SSL Server Test - penguin.transitionnetwork.org.png

attachment set

chris — Fri, 24 Jan 2014 14:45:00 GMT

attachment set to Qualys SSL Labs - Projects - SSL Server Test - parrot.transitionnetwork.org.png

hours, totalhours changed

chris — Fri, 24 Jan 2014 14:51:04 GMT

hours changed from 0.0 to 0.45
totalhours changed from 1.15 to 1.6

Disallow root ssh on wiki:ParrotServer again, edit /etc/ssh/sshd_config and change:

PermitRootLogin no
#PermitRootLogin yes

Restart:

/etc/init.d/ssh restart
  [ ok ] Restarting OpenBSD Secure Shell server: sshd.

Test site and document the new cert, updating wiki:SecurityInfo and http://wiki.transitionnetwork.org/Security

Test results for https://transitionnetwork.org/ via https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org

Test results for https://penguin.transitionnetwork.org/ via https://www.ssllabs.com/ssltest/analyze.html?d=penguin.transitionnetwork.org&s=81.95.52.111

Test results for https://parrot.transitionnetwork.org/ via https://www.ssllabs.com/ssltest/analyze.html?d=parrot.transitionnetwork.org

The Transition Network Zone file has been updated to remove the comodo subdomain, this is the latest version:

* 3600 IN A 81.95.52.103
*.newdev 3600 IN A 81.95.52.103
*.parrot 3600 IN A 81.95.52.43
2010.archive 3600 IN A 81.95.52.111
2011.archive 3600 IN A 81.95.52.111
@ 3600 IN A 81.95.52.103
lists 3600 IN A 212.113.133.235
mail 3600 IN A 212.113.133.235
newdev 3600 IN A 81.95.52.103
parrot 3600 IN A 81.95.52.43
penguin 3600 IN A 81.95.52.111
power 3600 IN A 81.95.52.111
puffin 3600 IN A 81.95.52.103
redirects 3600 IN A 81.95.52.111
static 3600 IN A 81.95.52.111
stats 3600 IN A 81.95.52.111
tech 3600 IN A 81.95.52.111
totnes 3600 IN A 81.95.52.111
trac 3600 IN A 81.95.52.111
wagn 3600 IN A 81.95.52.111
wiki 3600 IN A 81.95.52.111
www 3600 IN A 81.95.52.103
www.penguin 3600 IN A 81.95.52.111
www.totnes 3600 IN A 81.95.52.111
www.wiki 3600 IN A 81.95.52.111
@ 3600 IN MX 0 mx1.spamfiltering.com.
@ 3600 IN MX 5 mx2.spamfiltering.com.
tech 10800 IN MX 10 mx.webarch.net.

TODO:

Enable Forward Secrecy on wiki:ParrotServer
Update wiki:SecurityInfo
Update http://wiki.transitionnetwork.org/Security
Update wiki:DomainNames
Fix Sam's Trac email address

hours, totalhours changed

chris — Sat, 25 Jan 2014 17:42:35 GMT

hours changed from 0.0 to 1.6
totalhours changed from 1.6 to 3.2

Replying to chris:

TODO:

Enable Forward Secrecy on wiki:ParrotServer

Following the suggestions at https://github.com/t2d/wasuptls edited /etc/apache2/mods-available/ssl.conf

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL
SSLHonorCipherOrder on
SSLCompression off

Edited the apache templates in /root/webarch/conf/ and /usr/local/webarch/conf/apache* as above, then rebuild the apache config files:

buildapache earthin
buildapache movie
buildapache movie_ssl
buildapache moviedev
buildapache recon
buildapache recondev
buildapache tc
buildapache ts
buildapache ttt

And we still have A- "The server does not support Forward Secrecy with the reference browsers." at https://www.ssllabs.com/ssltest/analyze.html?d=parrot.transitionnetwork.org

So edit /etc/apache2/mods-available/ssl.conf:

#SSLProtocol all -SSLv2
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

And restart apache and it's still A-.

Perhaps it's because of old openssl libs on the server?

aptitude install deborphan
 deborphan
 libssl0.9.8
 lynx
 libdb4.8
 libboost-iostreams1.42.0
aptitude remove libssl0.9.8

That didn't help, tried copying the ciphers from wiki:PenguinServer Nginx config:

SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:+RC4:RC4

But it's still a A- and there is this, which is worse:

IE 11 / Win 8.1 R Protocol or cipher suite mismatch

So reverting to the config from https://github.com/t2d/wasuptls/blob/master/apache-vhost.conf

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL

This is in any case not a big deal as ticket:540 is outstanding.

Update wiki:SecurityInfo

All the steps on this page have been reproduced and fingerprints etc updated.

Update http://wiki.transitionnetwork.org/Security

Done.

Update wiki:DomainNames

Have updated the wiki:DomainNames#transitionnetwork.org section but nothing else on that page.

Fix Sam's Trac email address

Sam, the address in Trac is this (note the extra dot):

sam.rossiter@…

You need to change this via the preferences page.

hours, totalhours changed

chris — Sat, 25 Jan 2014 18:02:36 GMT

hours changed from 0.0 to 0.25
totalhours changed from 3.2 to 3.45

So, we don't want to have half a day next year with an expired certificate, there is a package for this, http://packages.debian.org/wheezy/ssl-cert-check so on wiki:PenguinServer:

aptitude install ssl-cert-check

Find the config files by listing the files that have just been installed:

dpkg -L ssl-cert-check
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/ssl-cert-check
/usr/share/doc/ssl-cert-check/copyright
/usr/share/doc/ssl-cert-check/changelog.Debian.gz
/usr/bin
/usr/bin/ssl-cert-check

So, following the suggestion here http://howto.biapy.com/en/debian-gnu-linux/servers/http/setup-an-email-alert-on-ssl-tls-certificate-expiration the following cron job was set up to to check the cert every day:

30 09 * * * ssl-cert-check -qac "/etc/ssl/transitionnetwork.org/transitionnetwork.org.crt" -e "chris@webarchitects.co.uk"

hours, totalhours changed

chris — Sat, 25 Jan 2014 18:09:22 GMT

hours changed from 0.0 to 0.2
totalhours changed from 3.45 to 3.65

The cronjob was tested on the old cert:

ssl-cert-check -qac "/etc/ssl/transitionnetwork.org/2013/transitionnetwork.org.crt" -e "chris@webarchitects.co.uk"

And the follwing email was sent:

From: root@penguin.webarch.net (root)
Date: Sat, 25 Jan 2014 18:06:46 +0000
To: chris@webarchitects.co.uk
Subject: Certificate for FILE "(CN: *.transitionnetwork.org)" has expired!
The SSL certificate for FILE "(CN: *.transitionnetwork.org)" has expired!

So it works and we should get advanced warning next year.

status changed; resolution set

chris — Fri, 31 Jan 2014 14:04:58 GMT

status changed from accepted to closed
resolution set to fixed

Closing as this is resolved.