| Version 23 (modified by chris, 2 years ago) (diff) |
|---|
Transition Network Security Information
The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a *.transitionnetwork.org SSL certificate from Gandi which is used by web servers and mail servers.
Note there is a issue regarding enabling HTTPS for the WordPress sites on ParrotServer, see ticket:540.
Fingerprints
- https://patterns.transitionresearchnetwork.org/ SHA1 Fingerprint=63:8A:D9:03:1F:FB:5D:40:CF:2D:CF:8A:4C:C4:C4:78:F0:F2:10:2E
- https://tech.transitionnetwork.org/ SHA1 Fingerprint=DE:E6:11:E6:81:E5:ED:2E:FB:ED:54:39:22:9A:A6:1D:C4:5B:FB:C3
- https://www.transitionnetwork.org/ SHA1 Fingerprint=DE:E6:11:E6:81:E5:ED:2E:FB:ED:54:39:22:9A:A6:1D:C4:5B:FB:C3
Getting a new certificate
There is a cronjob on wiki:PenguinServer to check the date of the cert see ticket:685#comment:9
Checking the HTTPS certificates
There is a page for users on the main wiki, following is some more techie info.
You can check the servers using the ssllabs.com test here:
See also:
- ticket:409 on which some issues were resolved.
- The steps followed in 2013 on ticket:475#comment:2
- 2014 on ticket:685#comment:2.
- Work was done on ticket:691#comment:13 to add SPDY support to wiki:PenguinServer and also to generate DH params.
- Heartbleed fixes on ticket:692#comment:18
Check the SSL cert on the command line
Following the suggestion here you can get the fingerprints on the the command line remotely:
openssl s_client -connect transitionnetwork.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin SHA1 Fingerprint=44:15:8B:F2:0C:D3:E6:92:9A:41:6E:FC:2A:46:36:89:90:B1:16:70
And on the server:
cd /etc/ssl/transitionnetwork.org openssl x509 -noout -in transitionnetwork.org.crt -fingerprint SHA1 Fingerprint=44:15:8B:F2:0C:D3:E6:92:9A:41:6E:FC:2A:46:36:89:90:B1:16:70
The following is based on instructions from nixCraft, see also ticket:165.
Create directory to store certificate:
mkdir -p ~/.cert/www.transitionnetwork.org/ cd ~/.cert/www.transitionnetwork.org/
Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:
openssl s_client -showcerts -connect www.transitionnetwork.org:443
Look at the end of the output, you will have one of these:
Verify return code: 21 (unable to verify the first certificate)
Verify return code: 19 (self signed certificate in certificate chain)
Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".
Copy from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- which starts with 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org, and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.
This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format:
wget http://crt.gandi.net/GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
Create symbolic links to files named by the hash values using c_rehash, enter:
c_rehash ~/.cert/www.transitionnetwork.org/
To confirm you have the correct and working certificates, enter:
openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443
And you should now output like above but with this at the end:
Verify return code: 0 (ok)
