Last modified 19 months ago Last modified on 05/05/15 10:41:44

Transition Network Security Information

The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a * SSL certificate from Gandi which is used by web servers and mail servers.

Note there is a issue regarding enabling HTTPS for the WordPress sites on ParrotServer, see ticket:540.


Getting a new certificate

There is a cronjob on wiki:PenguinServer to check the date of the cert see ticket:685#comment:9

Checking the HTTPS certificates

There is a page for users on the main wiki, following is some more techie info.

You can check the servers using the test here:

See also (newest items at the end):

Check the SSL cert on the command line

Following the suggestion here you can get the fingerprints on the the command line remotely:

openssl s_client -connect < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7

And on the server:

cd /etc/ssl/
openssl x509 -noout -in -fingerprint
SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7
openssl x509 -noout -in -fingerprint -sha256
SHA256 Fingerprint=19:BF:1D:C7:34:FB:12:D1:AB:69:6E:96:1A:E3:94:C0:B8:C0:F6:85:03:D2:8A:E9:57:42:61:B3:F2:95:39:28

The following is based on instructions from nixCraft, see also ticket:165.

Create directory to store certificate:

mkdir -p ~/.cert/
cd ~/.cert/

Retrieve the certificate provided by the Transition Network web server:

openssl s_client -showcerts -connect

Look at the end of the output, you will have one of these:

    Verify return code: 21 (unable to verify the first certificate)
    Verify return code: 19 (self signed certificate in certificate chain)

Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".

Copy from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- which starts with 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*, and save it in your ~/.cert/ directory as

This certificate was issued by Gandi, so you need to get the various certificates from and change them into pem format (note this needs updating for SHA256 certs)

openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

Create symbolic links to files named by the hash values using c_rehash, enter:

c_rehash ~/.cert/

To confirm you have the correct and working certificates, enter:

openssl s_client -CApath ~/.cert/ -connect

And you should now output like above but with this at the end:

    Verify return code: 0 (ok)