Version 26 (modified by chris, 22 months ago) (diff) |
---|
Transition Network Security Information
The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a *.transitionnetwork.org SSL certificate from Gandi which is used by web servers and mail servers.
Note there is a issue regarding enabling HTTPS for the WordPress sites on ParrotServer, see ticket:540.
Fingerprints
- https://patterns.transitionresearchnetwork.org/ SHA1 Fingerprint=63:8A:D9:03:1F:FB:5D:40:CF:2D:CF:8A:4C:C4:C4:78:F0:F2:10:2E
- https://*.transitionnetwork.org/
SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7 SHA256 Fingerprint=19:BF:1D:C7:34:FB:12:D1:AB:69:6E:96:1A:E3:94:C0:B8:C0:F6:85:03:D2:8A:E9:57:42:61:B3:F2:95:39:28
- https://www.transitionnetwork.org/
Getting a new certificate
There is a cronjob on wiki:PenguinServer to check the date of the cert see ticket:685#comment:9
Checking the HTTPS certificates
There is a page for users on the main wiki, following is some more techie info.
You can check the servers using the ssllabs.com test here:
See also (newest items at the end):
- ticket:409 on which some issues were resolved.
- The steps followed in 2013 on ticket:475#comment:2
- 2014 on ticket:685#comment:2.
- Work was done on ticket:691#comment:13 to add SPDY support to wiki:PenguinServer and also to generate DH params.
- Heartbleed fixes on ticket:692#comment:18
- SHA1 Deprecation: Regenerate all certs using SHA256 ticket:795
- 2015 on ticket:820
Check the SSL cert on the command line
Following the suggestion here you can get the fingerprints on the the command line remotely:
openssl s_client -connect transitionnetwork.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7
And on the server:
cd /etc/ssl/transitionnetwork.org openssl x509 -noout -in transitionnetwork.org.crt -fingerprint SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7 openssl x509 -noout -in transitionnetwork.org.crt -fingerprint -sha256 SHA256 Fingerprint=19:BF:1D:C7:34:FB:12:D1:AB:69:6E:96:1A:E3:94:C0:B8:C0:F6:85:03:D2:8A:E9:57:42:61:B3:F2:95:39:28
The following is based on instructions from nixCraft, see also ticket:165.
Create directory to store certificate:
mkdir -p ~/.cert/www.transitionnetwork.org/ cd ~/.cert/www.transitionnetwork.org/
Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:
openssl s_client -showcerts -connect www.transitionnetwork.org:443
Look at the end of the output, you will have one of these:
Verify return code: 21 (unable to verify the first certificate)
Verify return code: 19 (self signed certificate in certificate chain)
Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".
Copy from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- which starts with 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org, and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.
This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format (note this needs updating for SHA256 certs)
wget http://crt.gandi.net/GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
Create symbolic links to files named by the hash values using c_rehash, enter:
c_rehash ~/.cert/www.transitionnetwork.org/
To confirm you have the correct and working certificates, enter:
openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443
And you should now output like above but with this at the end:
Verify return code: 0 (ok)