Differences

This shows you the differences between two versions of the page.

--- public:radio:2025:yaddnet_ssl_renewal [15/03/25 06:55 GMT] – created john
+++ public:radio:2025:yaddnet_ssl_renewal [17/03/25 07:03 GMT] (current) – [YaDDNet VPS SSL Renewal] john
@@ Line 2: / Line 2: @@
-====== Yaddnet VPS SSL Renewal ======
+====== YaDDNet : VPS SSL Renewal ======
 ** Renewed SSL certificates for 2025/6 **
@@ Line 13: / Line 13: @@
     * Download //both// "Intermediate Certificates"
       * not sure why there are 2 //intermediate// certificates
-      * rename one as ''ca.pem''
+      * rename one as ''ca.pem.1''
-      * renmame other as ''ca.pem.temp''
+      * renmame other as ''ca.pem.2''
   * Use WinSCP to copy the 3 certificates to the Yaddnet VPS
   * Log on to yaddnet vps via SSH
@@ Line 23: / Line 23: @@
     * for clarity this gives new files
       * ''/usr/local/ssl/signed.crt''
-      * ''/usr/local/ssl/ca.pem''
+      * ''/usr/local/ssl/ca.pem.1''
-      * ''/usr/local/ssl/ca.pem.temp''
+      * ''/usr/local/ssl/ca.pem.2''
+      * copy ''ca.pem.2'' -> ''ca.pem''
     * Restart Apache
       * ''service apache2 restart''
@@ Line 31: / Line 32: @@
       * check site security
-{{:public:radio:2025:screenshot_2025-03-15_064708.png?400|}}
+{{:public:radio:2025:screenshot_2025-03-15_072557.png?400|}}
-  * swap ''ca.pem'' files (ca.pem -> ca.pem.temp and ca.pem.temp -> ca.pem by whatever means)
+  * swap ''ca.pem'' files (copy ''ca.pem.1'' -> ''ca.pem'')
   * Restart Apache
   * browse to [[https://www.yaddnet.org/index.php?]]
@@ Line 39: / Line 40: @@
   * security also valid
+==== Different intermediate CA.pem certificates ====
+I used openssl to inspect the two different //intermediate// certificates
+<code>gm4slv@yaddnet2:~ $ openssl x509 -in ca.pem -noout -text > /home/gm4slv/capemold.txt</code>
+  * for ca.pem.1
+<code>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
+        Signature Algorithm: sha384WithRSAEncryption
+        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
+        Validity
+            Not Before: Mar 12 00:00:00 2019 GMT
+            Not After : Dec 31 23:59:59 2028 GMT
+        Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
+</code>
+  * or ca.pem.2
+<code>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
+        Signature Algorithm: sha384WithRSAEncryption
+        Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
+        Validity
+            Not Before: Nov  2 00:00:00 2018 GMT
+            Not After : Dec 31 23:59:59 2030 GMT
+        Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
+</code>
+  * and for completeness the //old// original ca.pem from prior to the renewal
+<code>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+d:e0:ff:b5:ee:62:cb:61:10:9f:60:8c:9c:ed:5e:d3
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
+        Validity
+            Not Before: Nov 27 12:46:40 2017 GMT
+            Not After : Nov 27 12:46:40 2027 GMT
+        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
+</code>
+It appears that the certificate (ca.pem.2) from "Sectigo" has the longest validity, and that this is the more recent/appropriate one, so I've made it the certificate in use
+''sudo cp ca.pem.2 ca.pem''
+''sudo service apache2 restart''
@@ Line 47: / Line 109: @@
-{{tag>}}
+{{tag>yaddnet radio}}