#12855 closed Task/To do item (fixed)

lists.portside.org SSL certificate using SHA-1 needs revoke/replace

Reported by: https://id.mayfirst.org/wolcen Owned by: https://id.mayfirst.org/jaimev
Priority: Medium Component: Tech
Keywords: ssl sha-1 evo Cc: jschaffner@…
Sensitive: no

Description

The title basically covers the issue, at least as far as I understand it. It appears the cert has SHA-256 and SHA-1 signatures, so perhaps this is an issue with a cert chain? Chrome complains with NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM, and says both the cert and the chain have SHA-1 signatures.

This appears to be evo.mayfirst.org, which has nothing at all in the Red interface (this is for listserv, so probably understandable).

The SSL cert is a PositiveSSL good through Feb 2019 for lists.portside.org.

Change History (4)

comment:1 Changed 18 months ago by https://id.mayfirst.org/jaimev

  • Owner set to https://id.mayfirst.org/jaimev
  • Status changed from new to assigned

I think you can ask PositiveSSL to issue a new cert with a SHA-256 signature, they are usually willing to do this. The other option is for us to setup LetsEncrypt to autogenerate a new cert for lists.portside.org

comment:2 Changed 18 months ago by https://id.mayfirst.org/wolcen

Let's please go with LetsEncrypt for this service. Thank you!

comment:3 Changed 18 months ago by https://id.mayfirst.org/jaimev

Ok, I've used mf-certbot to create a new cert for lists.portside.org

I've edited the file /etc/apache2/sites-enabled/lists.portside.org.conf to use the new cert and key and restarted apache2.

        SSLEngine on                                 
        SSLCertificateFile /etc/letsencrypt/live/lists.portside.org/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/lists.portside.org/privkey.pem

As far as I can tell apache2 is the only service using tls certs on morales. Is that correct?

comment:4 Changed 18 months ago by https://id.mayfirst.org/wolcen

  • Resolution set to fixed
  • Status changed from assigned to closed

morales? Is that the same as evo? I do not know of anything else on there, sorry.

The certs look great now, of course. Thank you!

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.