Changes between Version 11 and Version 12 of configure-mosh-x509


Ignore:
Timestamp:
Aug 15, 2016, 9:27:20 AM (5 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • configure-mosh-x509

    v11 v12  
    11[[TranslatedPages]]
    22[[PageOutline]]
    3 == How to configure x509 on Moshes ==
    43
    5 1. Find out if cert sign request exists.
    6    * a. login to server cd /etc/ssl
    7    * b. ls -l
    8    * c. look for servername.csr
     4= How to configure x509 on any MF/PL Server =
    95
    10       If it exists remove it with 'rm SERVERNAME.mayfirst.org.csr' (We're going to create a new csr)
     6== If the machine is a mosh ==
    117
    12 2. Get new certificate
    13    * a. Generate a new csr (see instructions below)
    14    * b. Create a temporary directory 'mkdir /etc/ssl/temp'
    15    * c. go to https://cheapssls.com
    16    * d. find login info in keyringer - if configured issue the command 'pass cheapssls'
    17    * e. login and go to My SSL Account >> My SSLs
    18    * f. If there are unassigned ssls, use one of those. If not buy 5 PositiveSSL 5-year certs (currently $4.99p/y, discounted if multiple certs purchased)
    19    * i. Use keyringer (if configured run 'pass paypal' for login info) again for paypal information, to purchase certificates.
     8Edit the server's .pp file and add the following to the "m_mosh" class declaration:
    209
    21 3. Once certificates are purchased, go back to My SSL Account >> My SSLs
    22    * a. Click on "Activate" beside one of the SSLs
    23    * b. Paste in csr from step 2.a., use Apache2-openssl as the server type
    24    * c. https://support.mayfirst.org/wiki/ordering-cartel-x509-certificates
    25    * d. You will recieve an validation email at hostmaster@mayfirst.org, validate it.
    26    * e. You will recieve the certificate at hostmaster@mayfirst.org in a zip file.
    27    * f. save zip locally then on your local computer run command below to copy the zip file to the server.
    2810{{{
    29 scp /PATH/TO/SERVERNAME_mayfirst_org.zip root@SERVER_NAME.mayfirst.org:/etc/ssl/temp
    30 }}}
    31  
    32    * g. on the server
    33 {{{
    34 unzip /etc/ssl/temp/$(hostname)_mayfirst_org.zip
    35 }}}
    36    * h. from /etc/ssl/temp on the host machine you can run
    37 {{{
    38 cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt >> $(hostname)_mayfirst_org.crt && mv $(hostname)_mayfirst_org.crt ../$(hostname).mayfirst.org.crt.new
    39 }}}
    40     * This will create the correct certificate for the /etc/ssl directory (including the intermediate certificate). You need both Intermediate and Primary certificates for apache to use ssl correctly.
    41    * i. next from /etc/ssl/private do
    42 {{{
    43 umask 177; cat $(hostname).mayfirst.org.key.$(date +%F) >> $(hostname).mayfirst.org.pem.new
    44 }}}
    45    * j. next from /etc/ssl/private do
    46 {{{
    47 cat ../$(hostname).mayfirst.org.crt.new >> $(hostname).mayfirst.org.pem.new; umask 133
    48 }}}
    49     * j.0 Check the .pem file to verify it has the following components:
    50      * The secret key
    51      * The server's (End Entity) certificate
    52      * The intermediate certificate
    53 
    54    * k. Make sure no files in the /etc/ssl/private directory are readable by the world.
    55    * l. from /etc/ssl do
    56 {{{
    57 mv $(hostname).mayfirst.org.crt{,.old} && mv $(hostname).mayfirst.org.crt{.new,} && mv private/$(hostname).mayfirst.org.pem{,.old} && mv private/$(hostname).mayfirst.org.pem{.new,}
    58 }}}
    59    * m. restart apache with
    60 {{{
    61 service apache2 restart
    62 }}}
    63    * i. Check that the certificate is working by going to https://SERVERNAME.mayfirst.org
    64    * n. restart courier-imap-ssl and courier-pop-ssl
    65 {{{
    66 service courier-imap-ssl restart && service courier-pop-ssl restart
    67 }}}
    68     * n.0 In order to generate DH parameters, you may want to do `freepuppet-run` on the server in question.
    69     * n.1 Verify that imap is working, from your local machine do
    70 {{{
    71 gnutls-cli --port imaps SERVER_NAME.mayfirst.org
    72 }}}
    73      * n.1.1 You should see a successful handshake and be able to verify the necessary certificates and intermediate certificates.  Look for lines like these in the output:
    74 {{{
    75 - Certificate[1] info:
    76  - subject `OU=Domain Control Validated,OU=PositiveSSL,CN=mandela.mayfirst.org', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-12-19 00:00:00 UTC', expires `2018-12-18 23:59:59 UTC', SHA-1 fingerprint `bf977b3ea56da74284e111391ed1efaaf6454dc2'
    77 - Certificate[2] info:
    78  - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-02-16 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `94807b1c788dd2fcbe19c8481ce41cfab8a4c17f'
    79 }}}
    80      * n.1.2 If the above command fails, you will need to run the command `freepuppet-run` as root on the server.  Usually a failure in the above gnutls command is related to missing Diffie-Hellman parameters.
    81    * o. Remove any unnecessary files.  Here's an example of the needed files on jones (with permissions):
    82 
    83     {{{
    84     0 jones:/etc/ssl# ls -l
    85     total 40
    86     drwxr-xr-x 2 root root     20480 Nov 15  2011 certs
    87     -rw-r--r-- 1 root root      3566 Aug  6 11:54 jones.mayfirst.org.crt
    88     -rw-r--r-- 1 root root      9495 May  9  2011 openssl.cnf
    89     drwx--x--- 2 root ssl-cert  4096 Aug  6 12:01 private
    90 
    91     0 jones:/etc/ssl# ls -l private/
    92     total 16
    93     -rw------- 1 root root     1675 Aug  6 11:37 jones.mayfirst.org.key.2013-08-06
    94     -rw------- 1 root ssl-cert 5241 Aug  6 11:53 jones.mayfirst.org.pem
    95     -rw-r----- 1 root ssl-cert  887 Jun  9  2008 ssl-cert-snakeoil.key
    96     0 jones:/etc/ssl#
    97     }}}
    98 
    99     === How to Remove Files ===
    100     * cd into the directory
    101     * rm files in that directory
    102 
    103     === How to Remove Directory ===
    104     * cd into the directory
    105     * rm files in that directory
    106     * cd out of the directory
    107     * rmdir directory_name
    108 
    109 == Certs supplied by Positive ssl ==
    110 * AddTrustExternalCARoot.crt  <-- This is the CA certificate (rarely do we need this, can probably delete after installing certificates)
    111 * PositiveSSLCA2.crt  <-- Intermediate Certificate
    112 * SERVERNAME_mayfirst_org.crt  <-- The server's primary certificate.
    113 
    114 == Creating a new csr ==
    115 1. from `root@SERVERNAME.mayfirst.org:/etc/ssl/private` look for SERVERNAME.mayfirst.org.key (ls -l)
    116 
    117     If  it exists, remove it with 'rm $(hostname).mayfirst.org.key' <-- the  key may have a .DATE extension (remove that key as well)
    118 
    119 2.  Create a new key in /etc/ssl/private with the command `umask 177;  certtool -p > $(hostname).mayfirst.org.key.$(date +%F)` <-- umask here  creates the correct permissions for the key file.  '''Note:''' some versions of gnutls-bin (or certtool) add key info to the top of their output.  You'll want to verify the key created here and make sure it's clean, containing only the following:
    120 {{{
    121 -----BEGIN RSA PRIVATE KEY-----
    122 key data
    123 -----END RSA PRIVATE KEY-----
     11  x509_method => "letsencrypt"
    12412}}}
    12513
    126 3.  Run the following command from /etc/ssl/private `umask 133;  certtool --generate-request --load-privkey  $(hostname).mayfirst.org.key.$(date +%F)`
    127   * a. Enter the correct values for the signing request
     14== If the server is not a mosh, but is running apache ==
    12815
    129 == Questions asked by 'certtool --generate-request' command ==
    130 * Enter the e-mail of the subject of the certificate:
    131 * Enter a challenge password:
    132 * Does the certificate belong to an authority? (y/N): N
    133 * Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
    134 * Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
    135 * Is this a TLS web client certificate? (y/N): y
    136 * Is this also a TLS web server certificate? (y/N): y
    137 * Country name (2 chars): US
    138 * Organization name: May First People Link
    139 * Organizational unit name: Support
    140 * Locality name: New York City
    141 * State or province name: NY
    142 * Common name: SERVER_NAME.mayfirst.org
    143 * UID:
    144 * Enter a dnsName of the subject of the certificate:
    145 * Enter the IP address of the subject of the certificate:
    146 * Enter the e-mail of the subject of the certificate:
    147 * Enter a challenge password:
    148 * Does the certificate belong to an authority? (y/N): N
    149 * Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
    150 * Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
    151 * Is this a TLS web client certificate? (y/N): y
    152 * Is this also a TLS web server certificate? (y/N):
     16Run:
     17
     18{{{
     19mf-certbot /etc/apache2/sites-enables/SITE.CONF
     20}}}
     21
     22Complete the path above pointing to the web configuration file configured to respond to the domains you want certified.
     23
     24== If the server is not a mosh and is running nginx ==
     25
     26Please patch mf-certbot to work for nginx. It should be trivial.
     27
     28== If the server not a mosh and is not running a web server ==
     29
     30Run:
     31
     32{{{
     33mf-certbot domain.org www.domain.org another.domain.org
     34}}}
     35
     36== Updates ==
     37
     38The letsecnrypt software will automatically update the certificates every 3 months
     39
     40== To do ==
     41
     42Add a restart command to the post-certify hook of letsecnrypt?
     43
     44