Create kuit_ssl_certs.md

acwhite211 · web-flow · commit 9fc242711f50 · 2024-09-04T01:49:11.000-05:00
diff --git a/sphinx/server_management/kuit_ssl_certs.md b/sphinx/server_management/kuit_ssl_certs.md
@@ -0,0 +1,148 @@
+## New certificate on biprdsp7wbdb.cc.ku.edu server
+
+Form to request new certificate: https://kuit.service-now.com/nav_to.do?uri=%2Fcom.glideapp.servicecatalog_cat_item_view.do%3Fv%3D1%26sysparm_id%3D78fee42fdb2a8850162673e1ba96195b%26sysparm_link_parent%3D322911f41bec6490cf2d337e034bcb23%26sysparm_catalog%3De0d08b13c3330100c8b837659bba8fb4%26sysparm_catalog_view%3Dcatalog_default%26sysparm_view%3Dcatalog_default
+
+generate CSR string:
+```bash
+openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
+```
+
+with configuration:
+```
+Country Name (2 letter code) [XX]:US
+State or Province Name (full name) []:Kansas
+Locality Name (eg, city) [Default City]:Lawrence
+Organization Name (eg, company) [Default Company Ltd]:University of Kansas
+Organizational Unit Name (eg, section) []:Specify
+Common Name (eg, your name or your server's hostname) []:biimages.biodiversity.ku.edu
+Email Address []:alec.white@ku.edu
+A challenge password []:
+An optional company name []:
+```
+
+verify configuration with `openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr` with output
+```
+C = US, ST = Kansas, L = Lawrence, O = University of Kansas, OU = Specify, CN = biimages.biodiversity.ku.edu, emailAddress = alec.white@ku.edu
+```
+
+after receiving new certificate files
+```
+biimages_biodiversity_ku_edu.cer
+biimages_biodiversity_ku_edu_cert.cer
+biimages.biodiversity.ku.edu.conf
+biimages_biodiversity_ku_edu.crt
+biimages_biodiversity_ku_edu_interm.cer
+biimages_biodiversity_ku_edu.p7b
+biimages_biodiversity_ku_edu.pem
+```
+
+generate 'fullchain.pem' file with concatenation
+```bash
+cat biimages_biodiversity_ku_edu.pem biimages_biodiversity_ku_edu_interm.cer > fullchain.pem
+```
+
+then run commands to copy files into proper locations (make sure the number is incremented ex. 40)
+```bash
+sudo cp server.key /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/privkey40.pem
+sudo cp biimages_biodiversity_ku_edu.pem /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/cert40.pem;
+sudo cp biimages_biodiversity_ku_edu_interm.cer /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/chain40.pem;
+sudo cp fullchain.pem /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/fullchain40.pem;
+```
+
+then create symbolic links to where the nginx file looks for SSL files
+```bash
+sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/fullchain40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/fullchain.pem;
+sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/privkey40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem;
+sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/chain40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/chain.pem;
+sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/cert40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/cert.pem;
+```
+
+here are the line in the '/etc/nginx/conf.d/web-asset-server.conf' nginx file `sudo vim /etc/nginx/conf.d/web-asset-server.conf`
+```
+server_name biimages.biodiversity.ku.edu;
+ssl_certificate /etc/letsencrypt/live/biimages.biodiversity.ku.edu/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem;
+```
+
+verify the key and cert are correct by making sure their hashes are the same
+```bash
+sudo openssl x509 -noout -modulus -in /etc/letsencrypt/live/biimages.biodiversity.ku.edu/cert.pem | openssl md5
+sudo openssl rsa -noout -modulus -in /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem | openssl md5
+```
+
+verify the expiration date of the cert:
+```
+sudo openssl x509 -in fullchain.pem -noout -dates;
+```
+
+restart nginx
+```bash
+sudo systemctl restart nginx.service
+#sudo systemctl restart web-asset-server.service
+sudo systemctl status web-asset-server.service
+```
+
+## web-portal certificate
+
+here are the lines in the `/etc/nginx/conf.d/webportal-nginx.conf` nginx file
+```
+server_name collections.biodiversity.ku.edu;
+ssl_certificate /home/specify/keystore/collections_biodiversity_ku_edu_cert.cer;
+ssl_certificate_key /home/specify/keystore/collections_biodiversity_ku_edu.key;
+```
+
+```bash
+cat collections_biodiversity_ku_edu.pem collections_biodiversity_ku_edu_interm.cer > fullchain.pem
+```
+
+```bash
+sudo cp collections_biodiversity_ku_edu_cert.cer /home/specify/keystore/cert.pem
+sudo cp ~/webportal-keys/webportal_server.key /home/specify/keystore/privkey.pem
+sudo cp ~/webportal-keys/fullchain.pem /home/specify/keystore/fullchain.pem
+```
+
+```bash
+sudo chown specify:bi-sp7access cert.pem;
+sudo chown specify:bi-sp7access privkey.pem;
+sudo chown specify:bi-sp7access fullchain.pem;
+```
+
+```bash
+sudo systemctl restart nginx.service
+#sudo systemctl restart webportal-solr.service
+sudo systemctl status webportal-solr.service
+```
+
+## specify.ku.edu ssl cert update
+
+uses apache server
+```bash
+sudo systemctl status httpd.service
+sudo ls -la /etc/httpd/conf.d
+sudo vim /etc/httpd/conf.d/ipt+specify. # server config file
+
+sudo openssl req -new -newkey rsa:2048 -nodes -keyout specify.ku.edu.key -out specify.ku.edu.csr
+
+# Verify the private key
+sudo openssl rsa -in /home/anhalt/ssl/2024/specify_ku_edu.key -check
+# Verify the SSL certificate
+sudo openssl x509 -in /home/anhalt/ssl/2024/certs/specify_ku_edu_cert.cer -text -noout
+# Verify the certificate matches the private key
+sudo openssl x509 -noout -modulus -in /home/anhalt/ssl/2024/certs/specify_ku_edu.cer | openssl md5
+sudo openssl rsa -noout -modulus -in /home/anhalt/ssl/2024/specify_ku_edu.key | openssl md5
+# Check the certificate chain
+sudo openssl verify -CAfile /home/anhalt/ssl/2024/certs/specify_ku_edu_interm.cer /home/anhalt/ssl/2024/certs/specify_ku_edu_cert.cer
+
+# Test apache config
+sudo httpd -t
+sudo systemctl restart httpd
+sudo systemctl status httpd
+sudo tail -f /var/log/httpd/error_log
+```
+
+
+
+nevermind, just need to do this, copy the `specify.ku.edu.key` file from the previous year, it remains the same, just need the new `specify_ku_edu_cert.cer` and `specify_ku_edu_interm.cer` files
+
+
+
