= Transition Network Security Information = The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a {{{*.transitionnetwork.org}}} SSL certificate from [https://gandi.net/ Gandi] which is used by web servers and mail servers. == Getting a new certificate == See the steps followed in 2013 on ticket:475#comment:2 and 2014 on ticket:685#comment:2. == Checking the HTTPS certificates == There is [https://wiki.transitionnetwork.org/Security a page for users on the main wiki], following is some more techie info. You can check the servers using the ssllabs.com test here: * [https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org puffin] * [https://www.ssllabs.com/ssltest/analyze.html?d=penguin.transitionnetwork.org penguin] * [https://www.ssllabs.com/ssltest/analyze.html?d=parrot.transitionnetwork.org parrot] See also ticket:409 on which some issues were resolved. === Check the SSL cert on the command line === Following [https://security.stackexchange.com/questions/20399/how-to-verify-the-ssl-fingerprint-by-command-line-wget-curl the suggestion here] you can get the fingerprints on the the command line remotely: {{{ openssl s_client -connect transitionnetwork.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin SHA1 Fingerprint=44:15:8B:F2:0C:D3:E6:92:9A:41:6E:FC:2A:46:36:89:90:B1:16:70 }}} And on the server: {{{ cd /etc/ssl/transitionnetwork.org openssl x509 -noout -in transitionnetwork.org.crt -fingerprint SHA1 Fingerprint=44:15:8B:F2:0C:D3:E6:92:9A:41:6E:FC:2A:46:36:89:90:B1:16:70 }}} The following is based on [http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/ instructions from nixCraft], see also ticket:165. Create directory to store certificate: {{{ mkdir -p ~/.cert/www.transitionnetwork.org/ cd ~/.cert/www.transitionnetwork.org/ }}} Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server: {{{ openssl s_client -showcerts -connect www.transitionnetwork.org:443 }}} Look at the end of the output, you will have one of these: {{{ Verify return code: 21 (unable to verify the first certificate) }}} {{{ Verify return code: 19 (self signed certificate in certificate chain) }}} Note the error at the end, '''"Verify return code: 21 (unable to verify the first certificate)"'''. Copy from the {{{-----BEGIN CERTIFICATE-----}}} to the {{{-----END CERTIFICATE-----}}} which starts with {{{ 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org}}}, and save it in your {{{~/.cert/www.transitionnetwork.org/}}} directory as {{{www.transitionnetwork.org.pem}}}. This certificate was issued by Gandi, so you need to get the various certificates [http://wiki.gandi.net/en/ssl/intermediate?rev=1236084787 from gandi.net] and change them into pem format: {{{ wget http://crt.gandi.net/GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem }}} Create symbolic links to files named by the hash values using c_rehash, enter: {{{ c_rehash ~/.cert/www.transitionnetwork.org/ }}} To confirm you have the correct and working certificates, enter: {{{ openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443 }}} And you should now output like above but with this at the end: {{{ Verify return code: 0 (ok) }}}