Working with central KU IT

New certificate on ku.edu server

Form to request new certificate: https://kuit.service-now.com/nav_to.do?uri=%2Fcom.glideapp.servicecatalog_cat_item_view.do%3Fv%3D1%26sysparm_id%3D78fee42fdb2a8850162673e1ba96195b%26sysparm_link_parent%3D322911f41bec6490cf2d337e034bcb23%26sysparm_catalog%3De0d08b13c3330100c8b837659bba8fb4%26sysparm_catalog_view%3Dcatalog_default%26sysparm_view%3Dcatalog_default

generate CSR string:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

with configuration:

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Kansas
Locality Name (eg, city) [Default City]:Lawrence
Organization Name (eg, company) [Default Company Ltd]:University of Kansas
Organizational Unit Name (eg, section) []:Specify
Common Name (eg, your name or your server's hostname) []:biimages.biodiversity.ku.edu
Email Address []:alec.white@ku.edu
A challenge password []:
An optional company name []:

Verify configuration with openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr with output

C = US, ST = Kansas, L = Lawrence, O = University of Kansas, OU = Specify, CN = biimages.biodiversity.ku.edu, emailAddress = alec.white@ku.edu

after receiving new certificate files

biimages_biodiversity_ku_edu.cer
biimages_biodiversity_ku_edu_cert.cer
biimages.biodiversity.ku.edu.conf
biimages_biodiversity_ku_edu.crt
biimages_biodiversity_ku_edu_interm.cer
biimages_biodiversity_ku_edu.p7b
biimages_biodiversity_ku_edu.pem

generate ‘fullchain.pem’ file with concatenation

cat biimages_biodiversity_ku_edu.pem biimages_biodiversity_ku_edu_interm.cer > fullchain.pem

then run commands to copy files into proper locations (make sure the number is incremented ex. 40)

sudo cp server.key /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/privkey40.pem
sudo cp biimages_biodiversity_ku_edu.pem /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/cert40.pem;
sudo cp biimages_biodiversity_ku_edu_interm.cer /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/chain40.pem;
sudo cp fullchain.pem /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/fullchain40.pem;

then create symbolic links to where the nginx file looks for SSL files

sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/fullchain40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/fullchain.pem;
sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/privkey40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem;
sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/chain40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/chain.pem;
sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/cert40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/cert.pem;

here are the line in the ‘/etc/nginx/conf.d/web-asset-server.conf’ nginx file

server_name biimages.biodiversity.ku.edu;
ssl_certificate /etc/letsencrypt/live/biimages.biodiversity.ku.edu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem;

verify the key and cert are correct by making sure their hashes are the same

sudo openssl x509 -noout -modulus -in /etc/letsencrypt/live/biimages.biodiversity.ku.edu/cert.pem | openssl md5
sudo openssl rsa -noout -modulus -in /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem | openssl md5

restart nginx

sudo systemctl restart web-asset-server.service
sudo systemctl status web-asset-server.service

web-portal certificate

here are the lines in the /etc/nginx/conf.d/webportal-nginx.conf nginx file

server_name collections.biodiversity.ku.edu;
ssl_certificate /home/specify/keystore/collections_biodiversity_ku_edu_cert.cer;
ssl_certificate_key /home/specify/keystore/collections_biodiversity_ku_edu.key;

cat collections_biodiversity_ku_edu.pem collections_biodiversity_ku_edu_interm.cer > fullchain.pem

sudo cp collections_biodiversity_ku_edu_cert.cer /home/specify/keystore/cert.pem
sudo cp ~/webportal-keys/webportal_server.key /home/specify/keystore/privkey.pem
sudo cp ~/webportal-keys/fullchain.pem /home/specify/keystore/fullchain.pem

sudo chown specify:bi-sp7access cert.pem;
sudo chown specify:bi-sp7access privkey.pem;
sudo chown specify:bi-sp7access fullchain.pem;