= Transition Network Security Information =

The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a {{{*.transitionnetwork.org}}} SSL certificate from [https://gandi.net/ Gandi] which is used by web servers and mail servers.

Note there is a issue regarding enabling HTTPS for the WordPress sites on ParrotServer, see ticket:540.

== Fingerprints ==

* https://patterns.transitionresearchnetwork.org/ 
  {{{SHA1 Fingerprint=63:8A:D9:03:1F:FB:5D:40:CF:2D:CF:8A:4C:C4:C4:78:F0:F2:10:2E}}}
* https://*.transitionnetwork.org/
  {{{
  SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7
  SHA256 Fingerprint=19:BF:1D:C7:34:FB:12:D1:AB:69:6E:96:1A:E3:94:C0:B8:C0:F6:85:03:D2:8A:E9:57:42:61:B3:F2:95:39:28
  }}}
* https://www.transitionnetwork.org/

== Getting a new certificate ==

There is a cronjob on wiki:PenguinServer to check the date of the cert see ticket:685#comment:9

== Checking the HTTPS certificates ==

There is [https://wiki.transitionnetwork.org/Security a page for users on the main wiki], following is some more techie info.

You can check the servers using the ssllabs.com test here:

 * [https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org puffin]
 * [https://www.ssllabs.com/ssltest/analyze.html?d=penguin.transitionnetwork.org penguin]
 * [https://www.ssllabs.com/ssltest/analyze.html?d=patterns.transitionresearchnetwork.org patterns on penguin]
 * [https://www.ssllabs.com/ssltest/analyze.html?d=parrot.transitionnetwork.org parrot]

See also (newest items at the end):

- ticket:409 on which some issues were resolved.
- The steps followed in 2013 on ticket:475#comment:2 
- 2014 on ticket:685#comment:2. 
- Set up cert expiry date checking for all SSL certs ticket:687
- Work was done on ticket:691#comment:13 to add [https://en.wikipedia.org/wiki/SPDY SPDY] support to wiki:PenguinServer and also to generate DH params.
- Heartbleed fixes on ticket:692#comment:18
- SHA1 Deprecation: Regenerate all certs using SHA256 ticket:795
- 2015 on ticket:820

=== Check the SSL cert on the command line ===

Following [https://security.stackexchange.com/questions/20399/how-to-verify-the-ssl-fingerprint-by-command-line-wget-curl the suggestion here] you can get the fingerprints on the the command line remotely:

{{{
openssl s_client -connect transitionnetwork.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7
}}}

And on the server:

{{{
cd /etc/ssl/transitionnetwork.org
openssl x509 -noout -in transitionnetwork.org.crt -fingerprint
SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7
openssl x509 -noout -in transitionnetwork.org.crt -fingerprint -sha256
SHA256 Fingerprint=19:BF:1D:C7:34:FB:12:D1:AB:69:6E:96:1A:E3:94:C0:B8:C0:F6:85:03:D2:8A:E9:57:42:61:B3:F2:95:39:28
}}}

The following is based on [http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/ instructions from nixCraft], see also ticket:165.

Create directory to store certificate:

{{{
mkdir -p ~/.cert/www.transitionnetwork.org/
cd ~/.cert/www.transitionnetwork.org/
}}}

Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:

{{{
openssl s_client -showcerts -connect www.transitionnetwork.org:443
}}}

Look at the end of the output, you will have one of these:

{{{
    Verify return code: 21 (unable to verify the first certificate)
}}}

{{{
    Verify return code: 19 (self signed certificate in certificate chain)
}}}

Note the error at the end, '''"Verify return code: 21 (unable to verify the first certificate)"'''.

Copy from the {{{-----BEGIN CERTIFICATE-----}}} to the {{{-----END CERTIFICATE-----}}} which starts with {{{ 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org}}}, and save it in your {{{~/.cert/www.transitionnetwork.org/}}} directory as {{{www.transitionnetwork.org.pem}}}.

This certificate was issued by Gandi, so you need to get the various certificates [http://wiki.gandi.net/en/ssl/intermediate?rev=1236084787 from gandi.net] and change them into pem format ('''note this needs updating for SHA256 certs''')
 
{{{
wget http://crt.gandi.net/GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
}}}

Create symbolic links to files named by the hash values using c_rehash, enter:

{{{
c_rehash ~/.cert/www.transitionnetwork.org/
}}}

To confirm you have the correct and working certificates, enter:

{{{
openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443
}}}

And you should now output like above but with this at the end:

{{{
    Verify return code: 0 (ok)
}}}