Version 12 (modified by chris, 3 years ago) (diff) |
---|
Transition Network Security Information
The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a *.transitionnetwork.org SSL certificate from Gandi which is used by web servers and mail servers.
Getting a new certificate
See the steps followed in 2013 on ticket:475#comment:2 and 2014 on ticket:685#comment:2.
Checking the HTTPS certificates
There is a page for users on the main wiki, following is some more techie info.
You can check the servers using the ssllabs.com test here:
See also ticket:409 on which some issues were resolved.
Check the SSL cert on the command line
The following is based on instructions from nixCraft, see also ticket:165.
Create directory to store certificate:
mkdir -p ~/.cert/www.transitionnetwork.org/ cd ~/.cert/www.transitionnetwork.org/
Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:
openssl s_client -showcerts -connect www.transitionnetwork.org:443
Look at the end of the output, you will have one of these:
Verify return code: 21 (unable to verify the first certificate)
Verify return code: 19 (self signed certificate in certificate chain)
Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".
Copy from the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE----- which starts with 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org, and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.
This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format:
wget http://crt.gandi.net/GandiStandardSSLCA.crt wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt wget http://crt.usertrust.com/AddTrustExternalCARoot.crt openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem
Create symbolic links to files named by the hash values using c_rehash, enter:
c_rehash ~/.cert/www.transitionnetwork.org/
To confirm you have the correct and working certificates, enter:
openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443
And you should now output like above but with this at the end:
Verify return code: 0 (ok)