wiki:SecurityInfo

Version 17 (modified by chris, 3 years ago) (diff)

Info about SPDY support which is being enabled on wiki:PenguinServer added

Transition Network Security Information

The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a *.transitionnetwork.org SSL certificate from Gandi which is used by web servers and mail servers.

Note there is a issue regarding enabling HTTPS for the WordPress sites on ParrotServer, see ticket:540.

Getting a new certificate

There is a cronjob on wiki:PenguinServer to check the date of the cert see ticket:685#comment:9

Checking the HTTPS certificates

There is a page for users on the main wiki, following is some more techie info.

You can check the servers using the ssllabs.com test here:

See also:

Check the SSL cert on the command line

Following the suggestion here you can get the fingerprints on the the command line remotely:

openssl s_client -connect transitionnetwork.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=44:15:8B:F2:0C:D3:E6:92:9A:41:6E:FC:2A:46:36:89:90:B1:16:70

And on the server:

cd /etc/ssl/transitionnetwork.org
openssl x509 -noout -in transitionnetwork.org.crt -fingerprint
SHA1 Fingerprint=44:15:8B:F2:0C:D3:E6:92:9A:41:6E:FC:2A:46:36:89:90:B1:16:70

The following is based on instructions from nixCraft, see also ticket:165.

Create directory to store certificate:

mkdir -p ~/.cert/www.transitionnetwork.org/
cd ~/.cert/www.transitionnetwork.org/

Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:

openssl s_client -showcerts -connect www.transitionnetwork.org:443

Look at the end of the output, you will have one of these:

    Verify return code: 21 (unable to verify the first certificate)
    Verify return code: 19 (self signed certificate in certificate chain)

Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".

Copy from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- which starts with 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org, and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.

This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format:

wget http://crt.gandi.net/GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

Create symbolic links to files named by the hash values using c_rehash, enter:

c_rehash ~/.cert/www.transitionnetwork.org/

To confirm you have the correct and working certificates, enter:

openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443

And you should now output like above but with this at the end:

    Verify return code: 0 (ok)