-
Notifications
You must be signed in to change notification settings - Fork 4
SSL certificates
reduce.isis.stfc.ac.uk uses a 1 year EV certificate from QuoVadis which allows the site to be SSL secure. You can view the certificate in a browser where you can see the date that the certificate was created and the date that it expires. We need to make sure that the certificate is kept up to date (we should setup a Nagios check to remind us https://github.com/ISISScientificComputing/autoreduce/issues/1173). You should request a certificate at least 2 weeks before the expiry date from FIT (instructions below). Note that adding a certificate requires a short amount of downtime for the web app.
mkdir certs
cd certs/
openssl genrsa -out reduce.isis.cclrc.ac.uk_feb_2021.key 2048
openssl req -new -sha256 -key reduce.isis.cclrc.ac.uk_feb_2021.key -out reduce.isis.cclrc.ac.uk_feb_2021.csrAnswer the questions as follows. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank as shown below.
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Wiltshire
Locality Name (eg, city) [Default City]:SWINDON
Organization Name (eg, company) [Default Company Ltd]:Science and Technology Facilities Council
Organizational Unit Name (eg, section) []:RAL-ISIS
Common Name (eg, your name or your server's hostname) []:reduce.isis.cclrc.ac.uk
Email Address []:
A challenge password []:
An optional company name []:
Then run:
openssl req -noout -text -in reduce.isis.cclrc.ac.uk_feb_2021.csr
cat reduce.isis.cclrc.ac.uk_feb_2021.csrKeep the .key file, we need it later. And keep it secure.
Dear helpdesk,
Please could you generate a 1 year EV certificate for reduce.isis.cclrc.ac.uk using the attached CSR.
Best,
Ricky
On reduce.isis.cclrc.ac.uk:
cd C:\Apache24\certsBackup the C:\Apache24\certs directory (although it won't be needed later if the new certificate is added successfully). The certs/ directory should be cleared now.
unzip reduce_isis_cclrc_ac_uk_feb_2021_276948.zip
mv RootCertificates/* .
rmdir RootCertificates/
cat QuoVadisEVRootCertificate.crt QuoVadisEVIntermediateCertificate.crt > cert-chain.txtPut the .key file in C:\Apache24\certs
Then restart Apache using the Windows Services application. To debug errors with the Apache, check Event Viewer.
In the C:\Apache24\conf\httpd.conf file, change the following lines by removing the leading # sign in order to uncomment the line:
#Loadmodule ssl_module modules/mod_ssl.so
and
#Include conf/extra/httpd-default.conf
So these two lines should now appear as:
Loadmodule ssl_module modules/mod_ssl.so
and
Include conf/extra/httpd-default.conf
C:\Apache24\conf\httpd.conf should contain:
...
Listen 80
<VirtualHost *:80>
ServerName reduce.isis.cclrc.ac.uk
ServerAlias reduce.isis.cclrc.ac.uk
Redirect permanent "/" "https://reduce.isis.cclrc.ac.uk/"
</VirtualHost>
<VirtualHost *:443>
ServerName reduce.isis.cclrc.ac.uk
ServerAlias reduce.isis.cclrc.ac.uk
SSLEngine on
SSLCertificateFile "C:/Apache24/certs/reduce_isis_cclrc_ac_uk.crt"
SSLCertificateKeyFile "C:/Apache24/certs/reduce.isis.cclrc.ac.uk_feb_2021.key"
SSLCertificateChainFile "C:/Apache24/certs/cert-chain.txt"
</VirtualHost>
...
C:\Apache24\conf\httpd-ssl.conf should contain:
...
SSLCertificateFile "${SRVROOT}/certs/reduce_isis_cclrc_ac_uk.crt"
...
...
SSLCertificateKeyFile "${SRVROOT}/certs/reduce.isis.cclrc.ac.uk_feb_2021.key"
...
Restart Apache to test these changes. To debug errors with the Apache, check Event Viewer.
https://github.com/isisbusapps/ISISBusApps/wiki/Certificate-Management