wiki:SecurityInfo
Last modified 19 months ago Last modified on 05/05/15 10:41:44

Transition Network Security Information

The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a *.transitionnetwork.org SSL certificate from Gandi which is used by web servers and mail servers.

Note there is a issue regarding enabling HTTPS for the WordPress sites on ParrotServer, see ticket:540.

Fingerprints

Getting a new certificate

There is a cronjob on wiki:PenguinServer to check the date of the cert see ticket:685#comment:9

Checking the HTTPS certificates

There is a page for users on the main wiki, following is some more techie info.

You can check the servers using the ssllabs.com test here:

See also (newest items at the end):

Check the SSL cert on the command line

Following the suggestion here you can get the fingerprints on the the command line remotely:

openssl s_client -connect transitionnetwork.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7

And on the server:

cd /etc/ssl/transitionnetwork.org
openssl x509 -noout -in transitionnetwork.org.crt -fingerprint
SHA1 Fingerprint=67:E3:06:44:B5:95:67:74:1A:7A:EC:E2:82:C5:FC:27:A7:01:9C:F7
openssl x509 -noout -in transitionnetwork.org.crt -fingerprint -sha256
SHA256 Fingerprint=19:BF:1D:C7:34:FB:12:D1:AB:69:6E:96:1A:E3:94:C0:B8:C0:F6:85:03:D2:8A:E9:57:42:61:B3:F2:95:39:28

The following is based on instructions from nixCraft, see also ticket:165.

Create directory to store certificate:

mkdir -p ~/.cert/www.transitionnetwork.org/
cd ~/.cert/www.transitionnetwork.org/

Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:

openssl s_client -showcerts -connect www.transitionnetwork.org:443

Look at the end of the output, you will have one of these:

    Verify return code: 21 (unable to verify the first certificate)
    Verify return code: 19 (self signed certificate in certificate chain)

Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".

Copy from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- which starts with 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org, and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.

This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format (note this needs updating for SHA256 certs)

wget http://crt.gandi.net/GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

Create symbolic links to files named by the hash values using c_rehash, enter:

c_rehash ~/.cert/www.transitionnetwork.org/

To confirm you have the correct and working certificates, enter:

openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443

And you should now output like above but with this at the end:

    Verify return code: 0 (ok)