Contents
Updating expired certificates
On mageia infrastructure, we have 2 types of certificates :
- self signed certificate, for internal usage - user facing external website, where we use
Certificate are managed by puppet.
checking expiration date of a certificate
# openssl x509 -in /etc/ssl/openldap/ldap.mageia.org.pem -text -noout | grep -A2 Validity
Validity
Not Before: Oct 21 07:37:31 2016 GMT
Not After : Oct 21 07:37:31 2017 GMT
self signed certificate
If a certificate is expired, the easiest ( provided that's not the wildcard certificate, see later for this one ) is to erase the file ( for example, in /etc/ssl/apache/$VHOST.pem ) and to run puppetd again :
# rm /etc/ssl/apache/forums.mageia.org.pem # puppetd --test # /etc/init.d/httpd restart
Restarting the affected service is needed, or the old certificate would still be used.
openldap certificate
If the certificate is expired this will prevent puppet from fixing it, so you need to manually create it:
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/openldap/ldap.mageia.org.pem -out /etc/ssl/openldap/ldap.mageia.org.pem -subj '/CN=ldap.mageia.org'
Wild card certificate
Create
- Generate a CSR file. This creates a new public certificate that we will ask Gandi to sign.
openssl req -nodes -newkey rsa:2048 -sha256 -keyout wildcard.mageia.org.key -out wildcard.mageia.org.csr -utf8
Use FR as country, Paris as city, Mageia.Org as Organization Name, and (most importantly) *.mageia.org as Common Name (although, it's not clear if Gandi actually keeps all that data or replaces it); leave the other fields blank. Then go on Gandi website → SSL Certificates → *.mageia.org and click on Renew.
Choose DigiCert, Standard and Full domain then click on Next
In the text box paste the content of the csr file.
Check if we have enough of a credit balance at Gandi to pay for it. If not and expiration is imminent, use a credit card. When the certificate is renewed, choose DNS method for the validation.
Then, choose the SSL CERTIFICATES sidebar, then click on the *.mageia.org certificate. After some minutes/hours, the Validation instructions section will provide a CNAME record to add to DNS. Add it similar to this commit. Wait some minutes/hour (the time it takes for the DNS to get updated). You can follow the process along on the Gandi certificate page.
Install
When it's ready, download the new certificate as well as the Intermediate certificate (in case it changed from the last year). Backup the current certificate files by copying them into a directory based on the year they were requested, in case a reversion is needed (if they weren't already copied there last year). Copy the signed cert to neru, sucuk and duvel in /etc/ssl/wildcard.mageia.org.crt. Store the intermediate certificate in /etc/ssl/ and make sure there's a link to it from /etc/ssl/wildcard.mageia.org.pem. Finally, copy the new private key file to /etc/ssl/wildcard.mageia.org.key (making sure it has mode 0700).
Test
Finally, restart Apache on each of the three servers with systemctl reload apache. Test the new certificate by running curl -vI https://blog.mageia.org/ as well as gitweb.mageia.org and advisories.mageia.org (to check all three servers, although you should check them one at a time as you install the certs) and look for the new expiration year and for any certificate errors.
Revert the DNS record added previously, remembering to increment the SOA serial (don't use git revert).
