Version 10 (modified by chris, 3 years ago) (diff) |
---|
Transition Network Security Information
The Transition Network has a *.transitionnetwork.org SSL certificate from Gandi which is used by web servers and mail servers.
Getting a new certificate
See the steps followed in 2013 on ticket:475#comment:2 and 2014 on ticket:685#comment:2
Checking the HTTPS certificates
There is a page for users on the main wiki, following is some more techie info.
You can check the servers here:
See also ticket:409 on which some issues were resolved.
Check the SSL cert on the command line
The following is based on instructions from nixCraft, see also ticket:165.
Create directory to store certificate:
$ mkdir -p ~/.cert/www.transitionnetwork.org/ $ cd ~/.cert/www.transitionnetwork.org/
Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:
$ openssl s_client -showcerts -connect www.transitionnetwork.org:443
Sample output:
CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA -----BEGIN CERTIFICATE----- MIIE9zCCA9+gAwIBAgIRALwjak7zR7NnERA/olIDh34wDQYJKoZIhvcNAQEFBQAw QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEwMDIxMDAwMDAwMFoXDTExMDIxMDIzNTk1 OVowazEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQL ExtHYW5kaSBTdGFuZGFyZCBXaWxkY2FyZCBTU0wxIDAeBgNVBAMUFyoudHJhbnNp dGlvbm5ldHdvcmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA s2ncTx3xMZdby9RhGMrGC3KN9Yr4NiyWYumj/9OROyaTpbsTRGy0N46cis1uY03p 84aWNns6o0TYIqn4XOXco+DWeGjMzMHQ19YKQ2cZ0k+YtjRPT9ss8lXjTJaLK1np mbp5LaWgZLB+pUFzK9JZJOMCx6B6hJKUDOb3Fgakqujm74aT+bc3iAK7EKvZwUbq E22Q1Yiae6g3Zd9gQ+yBI7MNg5Kygm8SE3LZ9dntnC+CzgO7t5GvAhnJdfVoHLuC 6IDtUlCx1Z7wmDl4tm7qcSaUdd4DGFocIqSpSRayqtAFNH9WnpwMxBROwyChsmFj FRdHg7D6OYdS9NnpTx/LfwIDAQABo4IBvjCCAbowHwYDVR0jBBgwFoAUtqj/oqgv 0KbNS7Fo8+dQEDGneSEwHQYDVR0OBBYEFJM3Cz6AmNOWJySAjBgOd9a4nF36MA4G A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBWBgNVHSAETzBNMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUH AgEWLmh0dHA6Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3Bk Zi8wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlT dGFuZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0 dHA6Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYB BQUHMAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghcqLnRyYW5z aXRpb25uZXR3b3JrLm9yZ4IVdHJhbnNpdGlvbm5ldHdvcmsub3JnMA0GCSqGSIb3 DQEBBQUAA4IBAQCtxu5tBJAnP7xOL5QkUAFyKoSkbHV1i7kc3MqH5h/gbW16lJQa ke+Ac5M6/AHGc2vK+lKJWvQlVUqynECFjlvfTdD/WQFDcZYEkXrs85aB0ilSHHpr GCAO8182Y6p2jQSVtkP+cPUH0oOKW1KHBlDkWhU0iy+ooInJu7zy7yvPNxPC3mC+ TxWmcshBcPLkW1E6NPXrVx1WK9NdYvAn78/kWg2oZxBg/BuDO2UdNhBU824rYvAp P/Jd/eOoGzT7/JRtbF/xiO5Y10TPT2sjrFLpQodULgnN5TxsE1NcaOqzdDRxaUjb kUoWZpr6aCIzXPYmtlvmwXVWy+UH8b5A+ZRj -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 1967 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: D4C55538C4247FF187A1A8C130EA58195580A2996BF8F5343A5512CD8BF38719 Session-ID-ctx: Master-Key: 4C739F03DE2A480D751D7B18A0E7A397B2FD9E8C7763153A91EF6356797BA7653D50D210D22CDB6BC49F787C8399DCBD Key-Arg : None Krb5 Principal: None Start Time: 1289253341 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---
Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".
Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.
This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format:
wget http://crt.gandi.net/GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
Create symbolic links to files named by the hash values using c_rehash, enter:
$ c_rehash ~/.cert/www.transitionnetwork.org/
To confirm you have the correct and working certificates, enter:
$ openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443
And you should now output like above but with this at the end:
Verify return code: 0 (ok)