HTTPS Setup for masspirates.org

From Mass Pirate Wiki
Revision as of 20:57, 27 February 2014 by Srevilak (talk | contribs)
Jump to navigationJump to search

masspirates.org has a self-signed X509 certificate. Since our cert wasn't issued by one of the well-known members of the certificate cartel, browsers will give a warning about "not being able to identify the site's identity". People accessing our site will have to make the decision to trust us (as opposed to having their web browser make that decision for them).

MFPL supports subject alternative names, so we were able to set up HTTPs without getting a dedicated IP address. However, one has to tweak openssl's configuration, in order to generate a certificate with the x509v3 subjectAltName extension.

Here's what to change in openssl.cnf (or, a local copy of openssl.cnf)

 sunny:~$ diff -u /etc/ssl/openssl.cnf .openssl.cnf
 --- /etc/ssl/openssl.cnf        2013-12-18 08:37:55.000000000 -0500
 +++ .openssl.cnf        2014-02-27 20:28:27.728143498 -0500
 @@ -63,7 +63,7 @@
  cert_opt       = ca_default            # Certificate field options
  
  # Extension copying option: use with caution.
 -# copy_extensions = copy
 +copy_extensions = copy
  
  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  # so this is commented out by default to leave a V1 CRL.
 @@ -122,7 +122,7 @@
  # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  string_mask = utf8only
  
 -# req_extensions = v3_req # The extensions to add to a certificate request
 +req_extensions = v3_req # The extensions to add to a certificate request
  
  [ req_distinguished_name ]
  countryName                    = Country Name (2 letter code)
 @@ -220,6 +220,7 @@
  
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +subjectAltName = DNS:masspirates.org
  
  [ v3_ca ]
  
 @@ -233,11 +234,16 @@
  
  authorityKeyIdentifier=keyid:always,issuer
  
 +basicConstraints = CA:false
 +keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +subjectAltName = DNS:masspirates.org
 +
 +
  # This is what PKIX recommends but some broken software chokes on critical
  # extensions.
  #basicConstraints = critical,CA:true
  # So we do this instead.
 -basicConstraints = CA:true
 +# basicConstraints = CA:true
  
  # Key usage: this is typical for a CA certificate. However since it will
  # prevent it being used as an test self-signed certificate it is best

The key points are req_extensions = v3_req, and the lines added to v3_ca. (I added the same three lines to v3_req, but for self signing, only v3_ca seems to matter.

Next, generate the certificate

 openssl req -new -nodes -x509 \
   -out masspirates.org.crt \
   -newkey rsa:4096 \ 
   -keyout masspirates.org.key \
   -config ~/.openssl.cnf \
   -days 730

Here is our fingerprint

 0 sunny:~$ openssl x509 -fingerprint -noout -in masspirates.org.crt 
 SHA1 Fingerprint=81:80:D8:88:5A:41:C3:89:B0:B2:1F:B8:10:52:E5:6B:F7:D7:9E:9B

Via MFPL control panel, add an https web configuration. The https configuration should contain everything in the http section, along with the following lines

 SSLEngine on
 SSLCertificateFile /PATH/TO/masspirates.org/include/cert/masspirates.org.crt
 SSLCertificateKeyFile /PATH/TO/masspirates.org/include/cert/masspirates.org.key

For mediawiki to work, you'll need to change $wg

 -$wgServer           = "http://masspirates.org";
 +$wgServer           = "//masspirates.org";

Mediawiki calls this a "protocol neutral link". Some browsers will refuse to fetch both http and https urls from the same hostname. The protocol neutral server avoids this.

We'll have to do a similar thing to wordpress. I suspect that wordpress wants to use a base url of "http://masspirates.org", but we really want it to use a base url of "/".