John's Vademecum

Try to learn something about everything, and everything about something -Thomas Huxley “Darwin's bulldog” (1824-1895)

User Tools

Site Tools

You are here: My digital Commonplace Book » Public Area » 01 : Radio » 2025 Radio Topics » YaDDNet : VPS SSL Renewal
Trace:
public:radio:2025:yaddnet_ssl_renewal

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
public:radio:2025:yaddnet_ssl_renewal [15/03/25 06:55 GMT] – created johnpublic:radio:2025:yaddnet_ssl_renewal [13/10/25 07:00 BST] (current) – [UPDATE ON TWO INTERMEDIATE CERTIFICATES 5/7/25] john
Line 2: Line 2:
  
  
-====== Yaddnet VPS SSL Renewal ======+====== YaDDNet : VPS SSL Renewal ======
  
 ** Renewed SSL certificates for 2025/6 ** ** Renewed SSL certificates for 2025/6 **
  
 +<note important>Read the final part about combining the 2 intermediate certificates!</note>
 ===== 15/03/25 : SSL certificates ===== ===== 15/03/25 : SSL certificates =====
  
Line 13: Line 14:
     * Download //both// "Intermediate Certificates"     * Download //both// "Intermediate Certificates"
       * not sure why there are 2 //intermediate// certificates       * not sure why there are 2 //intermediate// certificates
-      * rename one as ''ca.pem'' +      * rename one as ''ca.pem.1'' 
-      * renmame other as ''ca.pem.temp''+      * renmame other as ''ca.pem.2''
   * Use WinSCP to copy the 3 certificates to the Yaddnet VPS   * Use WinSCP to copy the 3 certificates to the Yaddnet VPS
   * Log on to yaddnet vps via SSH   * Log on to yaddnet vps via SSH
Line 23: Line 24:
     * for clarity this gives new files     * for clarity this gives new files
       * ''/usr/local/ssl/signed.crt''       * ''/usr/local/ssl/signed.crt''
-      * ''/usr/local/ssl/ca.pem'' +      * ''/usr/local/ssl/ca.pem.1'' 
-      * ''/usr/local/ssl/ca.pem.temp''+      * ''/usr/local/ssl/ca.pem.2'' 
 +      * copy ''ca.pem.2'' -> ''ca.pem''
     * Restart Apache     * Restart Apache
       * ''service apache2 restart''       * ''service apache2 restart''
Line 31: Line 33:
       * check site security       * check site security
  
-{{:public:radio:2025:screenshot_2025-03-15_064708.png?400|}}+{{:public:radio:2025:screenshot_2025-03-15_072557.png?400|}}
  
-  * swap ''ca.pem'' files (ca.pem -> ca.pem.temp and ca.pem.temp -> ca.pem by whatever means)+  * swap ''ca.pem'' files (copy ''ca.pem.1'' -> ''ca.pem'')
   * Restart Apache   * Restart Apache
   * browse to [[https://www.yaddnet.org/index.php?]]   * browse to [[https://www.yaddnet.org/index.php?]]
Line 39: Line 41:
   * security also valid   * security also valid
  
 +==== Different intermediate CA.pem certificates ====
 +
 +I used openssl to inspect the two different //intermediate// certificates 
 +
 +<code>gm4slv@yaddnet2:~ $ openssl x509 -in ca.pem -noout -text > /home/gm4slv/capemold.txt</code>
 +
 +
 +  * for ca.pem.1
 +
 +<code>
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number:
 +            39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
 +        Signature Algorithm: sha384WithRSAEncryption
 +        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
 +        Validity
 +            Not Before: Mar 12 00:00:00 2019 GMT
 +            Not After : Dec 31 23:59:59 2028 GMT
 +        Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 +
 +</code>
 +
 +  * or ca.pem.2
 +
 +<code>
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number:
 +            7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
 +        Signature Algorithm: sha384WithRSAEncryption
 +        Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 +        Validity
 +            Not Before: Nov  2 00:00:00 2018 GMT
 +            Not After : Dec 31 23:59:59 2030 GMT
 +        Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 +</code>
 +
 +  * and for completeness the //old// original ca.pem from prior to the renewal
 +
 +<code>
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number:
 +            0d:e0:ff:b5:ee:62:cb:61:10:9f:60:8c:9c:ed:5e:d3
 +        Signature Algorithm: sha256WithRSAEncryption
 +        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
 +        Validity
 +            Not Before: Nov 27 12:46:40 2017 GMT
 +            Not After : Nov 27 12:46:40 2027 GMT
 +        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
 +</code>
 +
 +It appears that the certificate (ca.pem.2) from "Sectigo" has the longest validity, and that this is the more recent/appropriate one, so I've made it the certificate in use 
 +
 +''sudo cp ca.pem.2 ca.pem''
 +
 +''sudo service apache2 restart''
 +
 +
 +
 +===== UPDATE ON TWO INTERMEDIATE CERTIFICATES 5/7/25 =====
 +
 +<note important>I've discovered that the 2 Intermediate Certificates are necessary to complete the //chain// of authority.
 +</note>
 +
 +
 +What should be done is to join them together into one //ca.pem// file (and in the correct order.... )
 +
 +**Don't rename the 2 files as ''ca.pem.1'' and ''ca.pem.2'' per the above  **
 +
 +Transfer them both with their **//original//** names and then ''cat'' them together
 +
 +<code bash>
 +
 +[root@yaddnet2:/home/g4slv/ssl]# cat 397A66CC2756362E0DAA87CA6EABE3B1.cer 7D5B5126B476BA11DB74160BBC530DA7.cer > ca.pem
 +
 +[root@yaddnet2:/home/g4slv/ssl]# cp ca.pem /usr/local/ssl
 +
 +[root@yaddnet2:/home/g4slv/ssl]# systemctl restart apache2
 +
 +</code>
 +
 +Check correct SSL operation at [[https://www.ssllabs.com/ssltest/analyze.html]]
  
  
Line 47: Line 136:
  
  
-{{tag>}}+{{tag>yaddnet radio}}
  
  
public/radio/2025/yaddnet_ssl_renewal.1742021739.txt.gz · Last modified: by john