SSL certs (Obsolete)

Generate key and csr

sudo su

cd /etc/ssl

# generate the passworded key (use an easy password; we're about to strip it)

openssl genrsa -des3 -out server.pass.key 2048

# strip the password (you can now delete server.pass.key)

openssl rsa -in server.pass.key -out server.key

# generate the csr

openssl req -newkey rsa:2048 -nodes -sha256 -keyout server.key -out server.csr

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:Pennsylvania

Locality Name (eg, city) []:Philadelphia

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chemical Heritage Foundation

Organizational Unit Name (eg, section) []:Library

Common Name (e.g. server FQDN or YOUR name) []:hydra.chemheritage.org

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

mv server.key private/

mv server.pass.key private/

cd private

chown root:ssl-cert server.*

chmod 640 server.*

Generally it's better to name the key and csr after the server itself, e.g. hydra-chemheritage-org.csr; you can rename them after creation.

referenced:

• https://devcenter.heroku.com/articles/ssl-endpoint
• https://certsimple.com/blog/openssl-csr-command

Generate self-signed cert

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

• referenced: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-ssl-certificate

Purchasing a godaddy cert for prod

Email the csr to Chuck / Ponce and ask them to buy you a cert. Specify number of years

Installing the cert

• Put the cert(s) in place on the server; check permissions
  • For a CA-signed cert there are usually 2. The cert itself and the intermediate cert (gd_bundle)
• fill in the ansible config values for ssl stuff
  • use_ssl: true
  • locations of key and cert
• run an ansible playbook that just does that apache setup
  • First check/change 'hosts' in the top-level 'app-config.yml' playbook
  • ansible-playbook -i hosts update-ssl.yml --ask-vault-pass [-e hosts=staging]
  • This playbook should also restart apache for you.
• referenced: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#apache

Forcing all traffic to SSL

Until Ansible script is adjusted, manually add

redirect / https://hydra.chemheritage.org just below Document Root in /etc/apache2/sites-enabled/sufia-project.conf