wiki:configure-mosh-x509

Version 7 (modified by Ross, 6 years ago) (diff)

--

How to configure x509 on Moshes

  1. Find out if cert sign request exists.
    • a. login to server cd /etc/ssl
    • b. ls -l
    • c. look for servername.csr

If it exists remove it with 'rm SERVERNAME.mayfirst.org.csr' (We're going to create a new csr)

  1. Get new certificate
    • a. Generate a new csr (see instructions below)
    • b. Create a temporary directory 'mkdir /etc/ssl/temp'
    • c. go to https://cheapssls.com
    • d. find login info in keyringer - if configured issue the command 'pass cheapssls'
    • e. login and go to My SSL Account >> My SSLs
    • f. If there are unassigned ssls, use one of those. If not buy 5 PositiveSSL 5-year certs (currently $4.99p/y, discounted if multiple certs purchased)
    • i. Use keyringer (if configured run 'pass paypal' for login info) again for paypal information, to purchase certificates.
  1. Once certificates are purchased, go back to My SSL Account >> My SSLs
    • a. Click on "Activate" beside one of the SSLs
    • b. Paste in csr from step 2.a., use Apache2-openssl as the server type
    • c. https://support.mayfirst.org/wiki/ordering-cartel-x509-certificates
    • d. You will recieve an validation email at hostmaster@…, validate it.
    • e. You will recieve the certificate at hostmaster@… in a zip file.
    • f. save zip locally then on your local computer run command below to copy the zip file to the server.
      scp /PATH/TO/SERVERNAME_mayfirst_org.zip root@SERVER_NAME.mayfirst.org:/etc/ssl/temp
      

  • g. on the server
    unzip /etc/ssl/temp/$(hostname)_mayfirst_org.zip
    
  • h. from /etc/ssl/temp on the host machine you can run
    cat PositiveSSLCA2.crt >> $(hostname)_mayfirst_org.crt && mv $(hostname)_mayfirst_org.crt ../$(hostname).mayfirst.org.crt.new 
    
    • This will create the correct certificate for the /etc/ssl directory (including the intermediate certificate). You need both Intermediate and Primary certificates for apache to use ssl correctly.
  • i. next from /etc/ssl/private do
    umask 177; cat $(hostname).mayfirst.org.key.$(date +%F) >> $(hostname).mayfirst.org.pem.new
    
    • i.1 Check the .pem file to verify it has the following components:
      • The secret key
      • The server's (End Entity) certificate
      • The intermediate certificate
  • j. next from /etc/ssl/private do
    cat ../$(hostname).mayfirst.org.crt.new >> $(hostname).mayfirst.org.pem.new; umask 133
    
  • k. Make sure no files in the /etc/ssl/private directory are readable by the world.
  • l. from /etc/ssl do
    mv $(hostname).mayfirst.org.crt{,.old} && mv $(hostname).mayfirst.org.crt{.new,} && mv private/$(hostname).mayfirst.org.pem{,.old} && mv private/$(hostname).mayfirst.org.pem{.new,}
    
  • m. restart apache with
    service apache2 restart
    
  • i. Check that the certificate is working by going to https://SERVERNAME.mayfirst.org
  • n. restart courier-imap-ssl and courier-pop-ssl
    service courier-imap-ssl restart && service courier-pop-ssl restart
    
    • n.0 In order to generate DH parameters, you may want to do freepuppet-run on the server in question.
    • n.1 Verify that imap is working, from your local machine do
      gnutls-cli --port imaps SERVER_NAME.mayfirst.org
      
      • n.1.1 You should see a successful handshake and be able to verify the necessary certificates and intermediate certificates. Look for lines like these in the output:
        - Certificate[1] info:
         - subject `OU=Domain Control Validated,OU=PositiveSSL,CN=mandela.mayfirst.org', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-12-19 00:00:00 UTC', expires `2018-12-18 23:59:59 UTC', SHA-1 fingerprint `bf977b3ea56da74284e111391ed1efaaf6454dc2'
        - Certificate[2] info:
         - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-02-16 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `94807b1c788dd2fcbe19c8481ce41cfab8a4c17f'
        
  • o. Remove any unnecessary files. Here's an example of the needed files on jones (with permissions):
0 jones:/etc/ssl# ls -l
total 40
drwxr-xr-x 2 root root     20480 Nov 15  2011 certs
-rw-r--r-- 1 root root      3566 Aug  6 11:54 jones.mayfirst.org.crt
-rw-r--r-- 1 root root      9495 May  9  2011 openssl.cnf
drwx--x--- 2 root ssl-cert  4096 Aug  6 12:01 private

0 jones:/etc/ssl# ls -l private/
total 16
-rw------- 1 root root     1675 Aug  6 11:37 jones.mayfirst.org.key.2013-08-06
-rw------- 1 root ssl-cert 5241 Aug  6 11:53 jones.mayfirst.org.pem
-rw-r----- 1 root ssl-cert  887 Jun  9  2008 ssl-cert-snakeoil.key
0 jones:/etc/ssl# 

How to Remove Files

  • cd into the directory
  • rm files in that directory

How to Remove Directory

  • cd into the directory
  • rm files in that directory
  • cd out of the directory
  • rmdir directory_name

Certs supplied by Positive ssl

  • AddTrustExternalCARoot.crt <-- This is the CA certificate (rarely do we need this, can probably delete after installing certificates)
  • PositiveSSLCA2.crt <-- Intermediate Certificate
  • SERVERNAME_mayfirst_org.crt <-- The server's primary certificate.

Creating a new csr

  1. from root@SERVERNAME.mayfirst.org:/etc/ssl/private look for SERVERNAME.mayfirst.org.key (ls -l)

If it exists, remove it with 'rm $(hostname).mayfirst.org.key' <-- the key may have a .DATE extension (remove that key as well)

  1. Create a new key in /etc/ssl/private with the command umask 177; certtool -p > $(hostname).mayfirst.org.key.$(date +%F) <-- umask here creates the correct permissions for the key file.
  1. Run the following command from /etc/ssl/private umask 133; certtool --generate-request --load-privkey $(hostname).mayfirst.org.key.$(date +%F)
    • a. Enter the correct values for the signing request

Questions asked by 'certtool --generate-request' command

  • Enter the e-mail of the subject of the certificate:
  • Enter a challenge password:
  • Does the certificate belong to an authority? (y/N): N
  • Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
  • Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
  • Is this a TLS web client certificate? (y/N): y
  • Is this also a TLS web server certificate? (y/N): y
  • Country name (2 chars): US
  • Organization name: May First People Link
  • Organizational unit name: Support
  • Locality name: New York City
  • State or province name: NY
  • Common name: SERVER_NAME.mayfirst.org
  • UID:
  • Enter a dnsName of the subject of the certificate:
  • Enter the IP address of the subject of the certificate:
  • Enter the e-mail of the subject of the certificate:
  • Enter a challenge password:
  • Does the certificate belong to an authority? (y/N): N
  • Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
  • Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
  • Is this a TLS web client certificate? (y/N): y
  • Is this also a TLS web server certificate? (y/N):