Versions Compared

Old Version 8

changes.mady.by.user Anna Headley

Saved on

compared with

New Version Current

changes.mady.by.user Eddie Rubeiz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


 

Generate key and csr

sudo su
cd /etc/ssl
# generate the passworded key (use an easy password; we're about to strip it)
openssl genrsa -des3 -out server.pass.key 2048
# storestrip the password (you incan thenow Authentication filedelete server.pass.key)
openssl rsa -in server.pass.key -out server.key
# generate the csr
openssl req -newkey rsa:2048 -nodes -sha256 -keyout server.key -out server.csr

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:Pennsylvania

Locality Name (eg, city) []:Philadelphia

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chemical Heritage Foundation

Organizational Unit Name (eg, section) []:Library

Common Name (e.g. server FQDN or YOUR name) []:hydra.chemheritage.org

Email Address []:

 


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


mv server.key private/
mv server.pass.key private/
cd private
chown root:ssl-cert server.*
chmod 640 server.*

...

Generate self-signed cert

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Purchasing a godaddy cert for prod

Email the csr to Chuck / Ponce and ask them to buy you a cert. Specify number of years

Installing the cert

  • Put the cert(s) in place on the server; check permissions
    • There are For a CA-signed cert there are usually 2. The cert itself and the intermediate cert (gd_bundle (intermediate cert)
  • fill in the ansible config values for ssl stuff
    • use_ssl: true
    • locations of key and cert
  • run an ansible playbook that just does that apache setup
    • First check/change 'hosts' in the top-level 'app-config.yml' playbook
    • ansible-playbook -i hosts -update-tags "ssl" app-config.yml --ask-vault-pass
    • NOTE/TODO! I'm currently refactoring this; won't need tag 'ssl' anymore because apache config stuff is getting its own nested role in apache-passenger/apache-config
    restart apache on server
    • pass [-e hosts=staging]
    • This playbook should also restart apache for you.
  • referenced: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#apache

...


Forcing all traffic to SSL

Until Ansible script is adjusted, manually add

redirect / https://hydra.chemheritage.org just below Document Root in /etc/apache2/sites-enabled/sufia-project.conf