(OUTDATED) Setting up a free SSL certificate for a new OFN instance

Continuing the discussion from Starting the OFN in a new country (separate instance of OFN):

Here are some instructions to generate a free SSL certificate using StartSSL.

  1. Authenticate with StartSSL
  2. Validate the domain.
    Validations Wizard -> Domain Name Validation
    You’ll need access to a domain-related email address to complete this (eg. webmaster@yourdomain)
  3. Generate a private key and CSR (certificate signing request)
    openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout yourdomain.2015.key -out yourdomain.2015.csr
    Organisation: Open Food Foundation
  4. Generate the certificate
    Certificates Wizard -> Web Server SSL/TLS Certificate
    Skip private key generation
  5. Save the certificate
    cat > yourdomain.2015.crt
  6. Combine the intermediate certificates
    cat yourdomain.2015.crt sub.class1.server.ca.pem ca.pem > yourdomain.2015.unified.crt
    See: https://www.startssl.com/?app=42
  7. Update certificate permissions
    chown root.root *
    chmod 600 *
  8. Update nginx config to point to the new certificate and key
  9. Restart nginx
    service nginx reload
  10. Verify the installation
    In browser, check expiry date
    Run verification: https://www.ssllabs.com/ssltest/

@MyriamBoure @CynthiaReynolds - see above for some more detailed instructions from rohan on generating the ssl certificate. apparently you can do this anytime within the 30 day window that you have for authenticating the domain. the certificate will then last a year . .

I’m having some trouble…@RohanM, when looking on the web, it seems that you need to do that from the server you will be using, to generate the key and CSR, and then of course for installation. From Norway we don’t have the hand on the server, Raf is helping us on that from UK. Should I just ask Raf the step 3 and he send me the key and I generate the certificate and send the next step for Raf to install that on the server? @Kirsten can we do that? I don’t want to ask more things to Raf but I guess we can’t do that without him… and I’m not sure another paying solution will change anything, as the key has to be generated on the server…

Ok… I got some help at home :slight_smile: We managed to generate the key and csr for the point 3. So to make it easier for the next ones (especially for non IT) here is what we did:
3.1 Download OpenSSL (for windows for us)
3.2 Then you type the command

For Windows, you need to add the congif file, so the command will be:
openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout openfoodnetwork.no.2015.key -out openfoodnetwork.no.2015.csr -config [OpenSSL Directory]\bin\openssl.cfg
3.3 Skip all the fields exept “organization”, where you indicate: Open Food Foundation

Point 4.
4.1 Certificates Wizard → Web Server SSL/TLS Certificate
4.2 Skip private key generation
4.3 You will be asked to copy/paste the csr you just generated in point 3.
4.4 The request is submitted, then you have to associate it with a domain name, and add a subdomain (we added admin.openfoodnetwork.no).
4.5 It has to be treated manually before you get an answer from StartCom

We tried it in many different way, but each time, our request is declined by StartCom, with the following message:
“Thank you for requesting a digital certificate with us. However Class 1 certificates are not meant to be used for commercial activities or financial transactions according to our policy. For this purpose please consider upgrading to Class 2 or higher verification level.”

I wrote to them to understand, let’s see there answer, but if that doesn’t work we’ll just go for a paying solution as we are using too much time on this!

Got an answer from StartSSL: "your site implements a shopping cart or similar which is considered e-commerce and not suitable for our Class 1 certificates."
I guess we’ll take a paying solution the the free SSL doesn’t work anymore…

how annoying! after all that - they must have changed policy :frowning: So do you know how to get a paid one or I should try to get more info?

assuming you’ll send the details to raf once you have them, so let me know if that’s wrong and you need me to do anything

I think it should be ok, thanks a lot anyway, we tried!

Do we need only a domain validation or an organization validation?

The cheapest offer we have found is the one from ssl.com (49$ per year for Basic SSL) https://ssl.com/. Is it enough for what we need?
If we need an organization validation, then we’ll go for Buypass (http://www.buypass.com/products-and-services/ssl-certificates) or Trustwave (https://ssl.trustwave.com/ssl-premium.php), both are around 120$ per year if you take a 2 or 3 year commitment.
Comodo Instant SSL seems to validate also organization and is much cheaper when bought through resellers (for example ProISL in Norway, 68€ per year, no commitment: https://www.proisp.no/ssl-sertifikat/comodo-instantssl/) but the feedbacks are not so good… people have difficulties with customer services. I guess it depend on the reseller.

I’m not sure because on Buypass they say that domain validation is only for testing purpose and server-to-server communication within an organization…
Thanks for your answer on that!

I asked some people here what SSL certificate they would recommend, and more people talked about StartSSL. I actually realized they propose a class 2/3 certificate (domain + organization) for a very cheap price compared to what other providers offer for only a domain name validation… https://www.startssl.com/?app=2
So I guess we’ll go for that and share the process afterward :wink:

Hey @MyriamBoure - is this what you ended up doing with the SSL, or did @RohanM set something up . . just sorting out the steps for @tschumilas and hoping SSL will be straightforward this time!

@Kirsten, no, we first tried to take the free SSL certificate from StartCom but they didn’t allow us because they considered it was used for online shopping website and class1 was not enough. Then we tried the class 2/3 from Startcom again, but we were having trouble getting it, because it was the domain and organization certificate, and they didn’t want the domain openfoodnetwork.no to be owned by Altifrem… so we changed and went for ssl.com, Basic domain validation, 49$ per year, and it worked very smoothly :smile:

1 Like

Just for future reference, worth keeping a check on https://letsencrypt.org/ and when it goes live, hopefully could be a useful option for new or renewing certs.

1 Like

Let’s Encrypt is live now and it worked for me. It’s probably something to integrate into the Ansible scripts at some point.

1 Like

Did you try just a test? Or are you planning to use it for production?

I use it in production in another project, not OFN related. Even though they say you should not use it in production yet. But the certificate lasts only a few months and I didn’t setup any automation. If you don’t run a supported system (Debian based Apache or Nginx) you need to stop your webserver to obtain a certificate or set up some more complicated firewall rules and an unofficial client. So, I wouldn’t call it all smooth in production environments, but you can get certificates very easily.

NOTES on Let’s Encrypt approach here.