= Transition Network Security Information =

The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a {{{*.transitionnetwork.org}}} SSL certificate from [https://gandi.net/ Gandi] which is used by web servers and mail servers.

== Getting a new certificate ==

See the steps followed in 2013 on ticket:475#comment:2 and 2014 on ticket:685#comment:2. 

== Checking the HTTPS certificates ==

There is [https://wiki.transitionnetwork.org/Security a page for users on the main wiki], following is some more techie info.

You can check the servers using the ssllabs.com test here:

 * [https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org puffin]
 * [https://www.ssllabs.com/ssltest/analyze.html?d=penguin.transitionnetwork.org penguin]
 * [https://www.ssllabs.com/ssltest/analyze.html?d=parrot.transitionnetwork.org parrot]

See also ticket:409 on which some issues were resolved.

=== Check the SSL cert on the command line ===

The following is based on [http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/ instructions from nixCraft], see also ticket:165.

Create directory to store certificate:

{{{
mkdir -p ~/.cert/www.transitionnetwork.org/
cd ~/.cert/www.transitionnetwork.org/
}}}

Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:

{{{
openssl s_client -showcerts -connect www.transitionnetwork.org:443
}}}

Look at the end of the output, you will have one of these:

{{{
    Verify return code: 21 (unable to verify the first certificate)
}}}

{{{
    Verify return code: 19 (self signed certificate in certificate chain)
}}}

Note the error at the end, '''"Verify return code: 21 (unable to verify the first certificate)"'''.

Copy from the {{{-----BEGIN CERTIFICATE-----}}} to the {{{-----END CERTIFICATE-----}}} which starts with {{{ 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org}}}, and save it in your {{{~/.cert/www.transitionnetwork.org/}}} directory as {{{www.transitionnetwork.org.pem}}}.

This certificate was issued by Gandi, so you need to get the various certificates [http://wiki.gandi.net/en/ssl/intermediate?rev=1236084787 from gandi.net] and change them into pem format:
 
{{{
wget http://crt.gandi.net/GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
}}}

Create symbolic links to files named by the hash values using c_rehash, enter:

{{{
c_rehash ~/.cert/www.transitionnetwork.org/
}}}

To confirm you have the correct and working certificates, enter:

{{{
openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443
}}}

And you should now output like above but with this at the end:

{{{
    Verify return code: 0 (ok)
}}}