Ticket #895 (closed defect: fixed)

Opened 11 months ago

Last modified 10 months ago

HTTPS wildcard *.transitionnnetwork.org expires on 22nd January 2016

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: sam, ade, paul Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 1.25

Description

Unless I hear otherwise I'll renew the *.transitionnnetwork.org cert which is used by PuffinServer, PenguinServer and ParrotServer at a cost of £130.50 on or before the 22nd January 2016 when the current one expires.

An alternative would be to use Free HTTPS certificates from Let's Encrypt but this would take some time to set up as Let's Encrypt don't provide wild card certs.

Change History

comment:1 Changed 10 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 1.25
  • Status changed from new to closed
  • Resolution set to fixed
  • Total Hours changed from 0.0 to 1.25

Switching to using a SHA2 Intermediate Certificate, on PenguinServer, generating a CSR:

cd /etc/ssl/transitionnetwork.org
mkdir 2016
cd 2016
openssl req -nodes -newkey rsa:2048 -sha256 -keyout transitionnetwork.org.key -out transitionnetwork.org.csr

Getting the intermediate certs and setting up the .pem files:

wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem -O GandiStandardSSLCA2.pem
wget http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt -O USERTrustRSAAddTrustCA.crt
openssl x509 -inform DER -in USERTrustRSAAddTrustCA.crt -out USERTrustRSAAddTrustCA.pem
cat GandiStandardSSLCA2.pem >> gandi.pem
cat USERTrustRSAAddTrustCA.pem > gandi.pem

cat transitionnetwork.org.crt > transitionnetwork.org.pem
cat transitionnetwork.org.key >> transitionnetwork.org.pem

cat transitionnetwork.org.crt > transitionnetwork.org.chained.pem
cat GandiStandardSSLCA2.pem >> transitionnetwork.org.chained.pem
cat USERTrustRSAAddTrustCA.pem >> transitionnetwork.org.chained.pem

The above however is causing chain errors at both https://www.ssllabs.com/ssltest/index.html and https://www.digicert.com/help/ and it took a while to work out why, but the Gandi wiki https://wiki.gandi.net/en/ssl/intermediate#sha2_intermediate_certificates hasn't been updated to say that the https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem file already contains a pem version of http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt

Test results:

Syncing the files to the other servers, after changing PermitRootLogin no to yes for sshd and then switching it back afterwards:

rsync -av /etc/ssl/transitionnetwork.org/ parrot:/etc/ssl/transitionnetwork.org/
rsync -av /etc/ssl/transitionnetwork.org/ puffin:/etc/ssl/transitionnetwork.org/

Restart the web servers and test:

Testing:


Note: See TracTickets for help on using tickets.