Opened 7 years ago

Closed 7 years ago

#5470 closed Question/How do I...? (fixed)

Requesting Certificate Key / Dedicated IP

Reported by: OccuCopy Owned by: Ross
Priority: High Component: Tech
Keywords: certificate key, security, dedicated ip Cc: toshiro.kida@…
Sensitive: no

Description

Hi there,

We are trying to set ourselves up with a Security Certificate in order to get our online store up and running securely, and have tried generating the files as detailed in https://support.mayfirst.org/wiki/get_security_certificate.

the domain.csr and domain.key files were generated just fine. However, when we try to run:

openssl s_server -cert domain.crt -key domain.key -www

we get this result:

occucopy@stone:~$ openssl s_server -cert domain.crt -key domain.key -www
Error opening server certificate file domain.crt
22043:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('domain.crt','r')
22043:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load certificate

We are hesitant to go forward with the process without knowing why this won't work, and what we could do about it. The FAQ doesn't mention it, but is there a certain directory that we need to SSH into, in order to generate the key files?

I've read the various MFPL wiki pages, but just so we have a better idea of how it works, what would be the overall step-wise procedure from start to finish?

Thanks! TC at OccuCopy

Change History (9)

comment:1 Changed 7 years ago by Ross

Owner: set to Ross
Status: newassigned

Hi TC,

I'm looking in occucupy.org directory and do not see either file domain.csr or domain.key. I do see card_key/uc_credit.key in your web root... that is uc_credit.key is readable by the world (not sure if this is what you want).

That said, I've gone ahead and create a certificate signing request for you. The faq is a bit confusing, the command that failed for you is only supposed to be run after you've received your certificate from a certificate authority.

If you look in your occucopy user space in the "keys" directory, you should see a domain.csr and domain.key file. Use the contents of the .csr file to register your cert with a certificate authority. You are also welcome to recreate the .csr and .key file yourself (of course).

~/ross

comment:2 Changed 7 years ago by Daniel Kahn Gillmor

Is there a reason this is marked "sensitive"? the sensitive flag makes it so that questions aren't visible to people other than the reporter and the support team. It seems like the discussion on this ticket could benefit the general public (clarifying parts of the FAQ, working through this process).

occucopy, Would you be OK with removing the sensitive flag on this ticket?

comment:3 Changed 7 years ago by OccuCopy

Sensitive: unset

Sorry, yes, didn't quite get the idea of the sensitive flag. This would definitely benefit everybody! I've gone ahead and unchecked the box. Will be submitting key for certification now.

Thanks!

comment:4 Changed 7 years ago by OccuCopy

Hi Ross,

We now have our certificate, and need to get our own dedicated IP address, according to https://support.mayfirst.org/wiki/setup_security_certificate.

Can we go ahead and do that? Also, once we have it set up, how do we edit the requisite https config file?

Thanks again, OccuCopy

comment:5 Changed 7 years ago by Ross

Hi OccuCopy,

Your dedicated ip address is 216.66.22.44 . You should be able to follow this faq to perform the member level tasks to complete the ip configuration.

https://support.mayfirst.org/wiki/setup_dedicated_ip#Tasksthatonlyrequirememberlevelpermissions

Once you have the domain set up, you should be able to edit the https config file from the control panel under the Web Configuration tab.

let me know if you have any other questions,

~/ross

comment:6 Changed 7 years ago by OccuCopy

Hi Ross,

Sorry to keep bothering you with this!

The IP settings went through just fine, and I've updated the config file. The paths there are set to /home/members/occucopy/sites/occucopy.org/users/occucopy/keys/relevantfiles.*

Unfortunately, when I try to access http://occucopy.org, it just comes up with the standard "Welcome to stone.mayfirst.org" 404 page. Testing the certificate with RapidSSL's Certificate Installation Checker (https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556) comes up with an "Invalid Chain" error, and the following message:

Error: The certificate installation checker connected to the Web server and read its certificates, but could not determine which is the primary certificate for the Web server. Make sure that the domain name entered above matches the common name of the certificate installed on the Web server.

What are we doing wrong here?

comment:7 Changed 7 years ago by Ross

Resolution: fixed
Status: assignedfeedback

It seems like you've resolved this. I can get to https://occucopy.org . If this is not correct, let me know.

~/ross

comment:8 Changed 7 years ago by OccuCopy

Resolution: fixed
Status: feedbackassigned

Oh great, it is working! Thanks, guys!

comment:9 Changed 7 years ago by OccuCopy

Resolution: fixed
Status: assignedclosed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.