= Transition Network Security Information = The Transition Network has a {{{*.transitionnetwork.org}}} SSL certificate from [https://gandi.net/ Gandi] which is used by web servers and mail servers. == Getting a new certificate == See the steps followed in 2013 on ticket:475#comment:2 == Checking the HTTPS certificates == There is [https://wiki.transitionnetwork.org/Security a page for users on the main wiki], following is some more techie info. You can check the servers here: * [https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org quince] * [https://www.ssllabs.com/ssltest/analyze.html?d=kiwi%2etransitionnetwork%2eorg&s=81%2e95%2e52%2e78 kiwi] See also ticket:409 on which some issues were resolved. === Check the SSL cert on the command line === The following is based on [http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/ instructions from nixCraft], see also ticket:165. Create directory to store certificate: {{{ $ mkdir -p ~/.cert/www.transitionnetwork.org/ $ cd ~/.cert/www.transitionnetwork.org/ }}} Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server: {{{ $ openssl s_client -showcerts -connect www.transitionnetwork.org:443 }}} Sample output: {{{ CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA -----BEGIN CERTIFICATE----- MIIE9zCCA9+gAwIBAgIRALwjak7zR7NnERA/olIDh34wDQYJKoZIhvcNAQEFBQAw QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEwMDIxMDAwMDAwMFoXDTExMDIxMDIzNTk1 OVowazEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQL ExtHYW5kaSBTdGFuZGFyZCBXaWxkY2FyZCBTU0wxIDAeBgNVBAMUFyoudHJhbnNp dGlvbm5ldHdvcmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA s2ncTx3xMZdby9RhGMrGC3KN9Yr4NiyWYumj/9OROyaTpbsTRGy0N46cis1uY03p 84aWNns6o0TYIqn4XOXco+DWeGjMzMHQ19YKQ2cZ0k+YtjRPT9ss8lXjTJaLK1np mbp5LaWgZLB+pUFzK9JZJOMCx6B6hJKUDOb3Fgakqujm74aT+bc3iAK7EKvZwUbq E22Q1Yiae6g3Zd9gQ+yBI7MNg5Kygm8SE3LZ9dntnC+CzgO7t5GvAhnJdfVoHLuC 6IDtUlCx1Z7wmDl4tm7qcSaUdd4DGFocIqSpSRayqtAFNH9WnpwMxBROwyChsmFj FRdHg7D6OYdS9NnpTx/LfwIDAQABo4IBvjCCAbowHwYDVR0jBBgwFoAUtqj/oqgv 0KbNS7Fo8+dQEDGneSEwHQYDVR0OBBYEFJM3Cz6AmNOWJySAjBgOd9a4nF36MA4G A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBWBgNVHSAETzBNMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUH AgEWLmh0dHA6Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3Bk Zi8wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlT dGFuZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0 dHA6Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYB BQUHMAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghcqLnRyYW5z aXRpb25uZXR3b3JrLm9yZ4IVdHJhbnNpdGlvbm5ldHdvcmsub3JnMA0GCSqGSIb3 DQEBBQUAA4IBAQCtxu5tBJAnP7xOL5QkUAFyKoSkbHV1i7kc3MqH5h/gbW16lJQa ke+Ac5M6/AHGc2vK+lKJWvQlVUqynECFjlvfTdD/WQFDcZYEkXrs85aB0ilSHHpr GCAO8182Y6p2jQSVtkP+cPUH0oOKW1KHBlDkWhU0iy+ooInJu7zy7yvPNxPC3mC+ TxWmcshBcPLkW1E6NPXrVx1WK9NdYvAn78/kWg2oZxBg/BuDO2UdNhBU824rYvAp P/Jd/eOoGzT7/JRtbF/xiO5Y10TPT2sjrFLpQodULgnN5TxsE1NcaOqzdDRxaUjb kUoWZpr6aCIzXPYmtlvmwXVWy+UH8b5A+ZRj -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 1967 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: D4C55538C4247FF187A1A8C130EA58195580A2996BF8F5343A5512CD8BF38719 Session-ID-ctx: Master-Key: 4C739F03DE2A480D751D7B18A0E7A397B2FD9E8C7763153A91EF6356797BA7653D50D210D22CDB6BC49F787C8399DCBD Key-Arg : None Krb5 Principal: None Start Time: 1289253341 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- }}} Note the error at the end, '''"Verify return code: 21 (unable to verify the first certificate)"'''. Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem. This certificate was issued by Gandi, so you need to get the various certificates [http://wiki.gandi.net/en/ssl/intermediate?rev=1236084787 from gandi.net] and change them into pem format: {{{ wget http://crt.gandi.net/GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem }}} Create symbolic links to files named by the hash values using c_rehash, enter: {{{ $ c_rehash ~/.cert/www.transitionnetwork.org/ }}} To confirm you have the correct and working certificates, enter: {{{ $ openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443 }}} And you should now output like above but with this at the end: {{{ Verify return code: 0 (ok) }}}