doc/certificate.md
Yunohost Admin 533244385b merge
2015-02-04 11:32:19 +01:00

4.9 KiB

#Certificate

Certificates are used to certify that your server is the genuine one and not a falsified one.

YunoHost provides a self-signed certificate, it means that your server guaranty the certificate validity. It's enough for personal usage, because you trust your own server. But this could be a problem if you want to open access to anonymous like web user for a website. Concretely users will go throw a screen like this:

This screen ask to the user : "Do you trust this server that host this website?" It could afraid a lot of users (rightly).

To avoid this confusion, it's possible to get a signed certificate by a "known" authority : Gandi, RapidSSL, StartSSL, CaCert. In these cases, the point is to replace the self-signed certificate by the one that have been certified by an certificate authority, and the users won't have this warning screen anymore.

Add a signed certificate by an authority

Get your certificate from your CA, you must get a private key, file key and a public certificate (file .crt)

Be carefull, the key file is very critical, it's strictly personal and have to be secured.

Copy this two files on the server, if not.

scp CERTIFICAT.crt admin@DOMAIN.TLD:ssl.crt
scp CLE.key admin@DOMAIN.TLD:ssl.key

From Windows, scp can be used with putty, download pscp

pscp -P 22 CERTIFICAT.crt admin@DOMAIN.TLD:ssl.crt
pscp -P 22 CLE.key admin@DOMAIN.TLD:ssl.key```

Now the files are in the server. Open a shell on the server use [ssh](https://yunohost.org/#/ssh_fr) or locally.

First, create a directory for archive the certificates.

```bash
sudo mkdir /etc/yunohost/certs/DOMAIN.TLD/ae_certs
sudo mv ssl.key ssl.crt /etc/yunohost/certs/DOMAIN.TLD/ae_certs/```

Then go to the parent directory and go on.

```bash
cd /etc/yunohost/certs/DOMAIN.TLD/```

Make a backup of the YunoHost original certificates , to be safe!

```bash
sudo mkdir yunohost_self_signed
sudo mv *.pem *.cnf yunohost_self_signed/```

Depends on the CA, intermediate certificates and root have to be downloaded.

> **StartSSL**
> ```bash
> sudo wget http://www.startssl.com/certs/ca.pem -O ae_certs/ca.pem
> sudo wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O ae_certs/intermediate_ca.pem```

> **Gandi**
> ```bash
> sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem -O ae_certs/intermediate_ca.pem```

> **RapidSSL**
> ```bash
> sudo wget https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt -O ae_certs/intermediate_ca.pem```

> **Cacert**
> ```bash
> sudo wget http://www.cacert.org/certs/root.crt -O ae_certs/ca.pem
> sudo wget http://www.cacert.org/certs/class3.crt -O ae_certs/intermediate_ca.pem```

Intermediate certificates and root must be merged with certificates obtained to create a unified chain certificates.

If you use a root certificate (StartSSL) :

```bash
cat ae_certs/ssl.crt ae_certs/intermediate_ca.pem ae_certs/ca.pem | sudo tee crt.pem```

If you use only an intermediate certificate.

```bash
cat ae_certs/ssl.crt ae_certs/intermediate_ca.pem | sudo tee crt.pem```

The private key have to be converted in PEM format.

```bash
sudo openssl rsa -in ae_certs/ssl.key -out key.pem -outform PEM```

Check certificates syntaxe, check file contents.

```bash
cat crt.pem key.pem```

Certificates and private key look like this :

`-----BEGIN CERTIFICATE-----`    
`MIICVDCCAb0CAQEwDQYJKoZIhvcNAQEEBQAwdDELMAkGA1UEBhMCRlIxFTATBgNV`
`BAgTDENvcnNlIGR1IFN1ZDEQMA4GA1UEBxMHQWphY2NpbzEMMAoGA1UEChMDTExC`
`MREwDwYDVQQLEwhCVFMgSU5GTzEbMBkGA1UEAxMSc2VydmV1ci5idHNpbmZvLmZy`
`MB4XDTA0MDIwODE2MjQyNloXDTA0MDMwOTE2MjQyNlowcTELMAkGA1UEBhMCRlIx`
`FTATBgNVBAgTDENvcnNlIGR1IFN1ZDEQMA4GA1UEBxMHQWphY2NpbzEMMAoGA1UE`
`ChMDTExCMREwDwYDVQQLEwhCVFMgSU5GTzEYMBYGA1UEAxMPcHJvZi5idHNpbmZv`
`LmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSUagxPSv3LtgDV5sygt12`
`kSbN/NWP0QUiPlksOkF2NkPfwW/mf55dD1hSndlOM/5kLbSBo5ieE3TgikF0Iktj`
`BWm5xSqewM5QDYzXFt031DrPX63Fvo+tCKTQoVItdEuJPMahVsXnDyYHeUURRWLW`
`wc0BzEgFZGGw7wiMF6wt5QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBALD640iwKPMf`
`pqdYtfvmLnA7CiEuao60i/pzVJE2LIXXXbwYjNAM+7Lov+dFT+b5FcOUGqLymSG3`
`kSK6OOauBHItgiGI7C87u4EJaHDvGIUxHxQQGsUM0SCIIVGK7Lwm+8e9I2X0G2GP`    
`9t/rrbdGzXXOCl3up99naL5XAzCIp6r5`  
`-----END CERTIFICATE-----`

At last, secure files of your certificate

```bash
sudo chown root:metronome crt.pem key.pem
sudo chmod 640 crt.pem key.pem
sudo chown root:root -R ae_certs
sudo chmod 600 -R ae_certs```

Reload Nginx configuration to take into account the new certificate.

```bash
sudo service nginx reload```

Your certificate is ready to serve. You can check that every thing is correct byan external service like <a href="https://www.geocerts.com/ssl_checker" target="_blank">geocerts</a>