Transition Technology: Ticket #895: HTTPS wildcard *.transitionnnetwork.org expires on 22nd January 2016 http://localhost:8080/trac/ticket/895 <p> Unless I hear otherwise I'll renew the <tt>*.transitionnnetwork.org</tt> cert which is used by <a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer">PuffinServer</a>, <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">PenguinServer</a> and <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> at a cost of <a class="ext-link" href="https://www.webarch.net/certs"><span class="icon">​</span>£130.50</a> on or before the 22nd January 2016 when the <a class="ext-link" href="https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org&amp;latest"><span class="icon">​</span>current one expires</a>. </p> <p> An alternative would be to use <a class="new ticket" href="http://localhost:8080/trac/ticket/875" title="maintenance: Free HTTPS certificates from Let's Encrypt (new)">Free HTTPS certificates from Let's Encrypt</a> but this would take some time to set up as <a class="ext-link" href="https://www.letsencrypt.org/"><span class="icon">​</span>Let's Encrypt</a> don't provide wild card certs. </p> en-us Transition Technology /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/895 Trac 0.12.5 chris Fri, 22 Jan 2016 13:43:08 GMT hours, status, totalhours changed; resolution set http://localhost:8080/trac/ticket/895#comment:1 http://localhost:8080/trac/ticket/895#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>1.25</em> </li> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>1.25</em> </li> </ul> <p> Switching to using a SHA2 Intermediate Certificate, on <a class="wiki" href="http://localhost:8080/trac/wiki/PenguinServer">PenguinServer</a>, generating a CSR: </p> <pre class="wiki">cd /etc/ssl/transitionnetwork.org mkdir 2016 cd 2016 openssl req -nodes -newkey rsa:2048 -sha256 -keyout transitionnetwork.org.key -out transitionnetwork.org.csr </pre><p> Getting the intermediate certs and setting up the .pem files: </p> <pre class="wiki">wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem -O GandiStandardSSLCA2.pem wget http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt -O USERTrustRSAAddTrustCA.crt openssl x509 -inform DER -in USERTrustRSAAddTrustCA.crt -out USERTrustRSAAddTrustCA.pem cat GandiStandardSSLCA2.pem &gt;&gt; gandi.pem cat USERTrustRSAAddTrustCA.pem &gt; gandi.pem cat transitionnetwork.org.crt &gt; transitionnetwork.org.pem cat transitionnetwork.org.key &gt;&gt; transitionnetwork.org.pem cat transitionnetwork.org.crt &gt; transitionnetwork.org.chained.pem cat GandiStandardSSLCA2.pem &gt;&gt; transitionnetwork.org.chained.pem cat USERTrustRSAAddTrustCA.pem &gt;&gt; transitionnetwork.org.chained.pem </pre><p> The above however is causing chain errors at both <a class="ext-link" href="https://www.ssllabs.com/ssltest/index.html"><span class="icon">​</span>https://www.ssllabs.com/ssltest/index.html</a> and <a class="ext-link" href="https://www.digicert.com/help/"><span class="icon">​</span>https://www.digicert.com/help/</a> and it took a while to work out why, but the Gandi wiki <a class="ext-link" href="https://wiki.gandi.net/en/ssl/intermediate#sha2_intermediate_certificates"><span class="icon">​</span>https://wiki.gandi.net/en/ssl/intermediate#sha2_intermediate_certificates</a> hasn't been updated to say that the <a class="ext-link" href="https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem"><span class="icon">​</span>https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem</a> file already contains a pem version of <a class="ext-link" href="http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt"><span class="icon">​</span>http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt</a> </p> <p> Test results: </p> <ul><li><a class="ext-link" href="https://www.ssllabs.com/ssltest/analyze.html?d=trac.transitionnetwork.org&amp;s=81.95.52.111"><span class="icon">​</span>https://www.ssllabs.com/ssltest/analyze.html?d=trac.transitionnetwork.org&amp;s=81.95.52.111</a> </li></ul><p> Syncing the files to the other servers, after changing <tt>PermitRootLogin no</tt> to <tt>yes</tt> for sshd and then switching it back afterwards: </p> <pre class="wiki">rsync -av /etc/ssl/transitionnetwork.org/ parrot:/etc/ssl/transitionnetwork.org/ rsync -av /etc/ssl/transitionnetwork.org/ puffin:/etc/ssl/transitionnetwork.org/ </pre><p> Restart the web servers and test: </p> <p> Testing: </p> <ul><li><a class="ext-link" href="https://cop21.transitionnetwork.org/"><span class="icon">​</span>https://cop21.transitionnetwork.org/</a> </li><li><a class="ext-link" href="https://www.ssllabs.com/ssltest/analyze.html?d=cop21.transitionnetwork.org&amp;s=81.95.52.43&amp;latest"><span class="icon">​</span>https://www.ssllabs.com/ssltest/analyze.html?d=cop21.transitionnetwork.org&amp;s=81.95.52.43&amp;latest</a> </li></ul><ul><li><a class="ext-link" href="https://www.transitionnetwork.org/"><span class="icon">​</span>https://www.transitionnetwork.org/</a> </li><li><a class="ext-link" href="https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org"><span class="icon">​</span>https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org</a> </li></ul><p> </p> Ticket