Update ssl cert to one signed with sha2

[greggles]

The current ssl cert for gratipay.com is signed with sha1. It would be great to use a sha2 certificate, both because it is better for security and because Chrome is starting to warn users about sha1-signed certs which can decrease trust in the gratipay brand.

See http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html for details on when/why they are doing this.

It *should * be a fairly straightforward change: get a new cert from the issuer and put it in place.

[chadwhitacre]

HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.

Our cert expires August 27, 2016, and yet:

[chadwhitacre]

Nobody should be trusting a payments platform with a .

[chadwhitacre]

Our cert expires August 27, 2016, and yet:

Explanation:

Beginning in January 2015, Chrome will show a warning for sites with SHA-1 certificates expiring after June 1, 2016.

A closer reading of Google's blog post bears this out.

[chadwhitacre]

IRC

[chadwhitacre]

The hash function is relevant when creating the CSR (include -sha256 in the options to openssl req), and the way to inspect a CSR to determine what hash function was used to create it is:

$ openssl asn1parse -in server.csr

[chadwhitacre]

P.S. I usually refer to https://devcenter.heroku.com/articles/ssl-endpoint when I have to do this. At some point we'll want a howto on IG.

[chadwhitacre]

Looks like StartSSL wants me to revoke the previous certificate, which carries a $24.90 charge ... and a race condition. :-/

[chadwhitacre]

Revocation request submitted.

[chadwhitacre]

And I emailed them about the race condition.

[chadwhitacre]

It seems that StartSSL always uses a subdomain as the common name, adding the root as an alternate. The first subdomain added during the cert wizard becomes the common name, so to avoid revocation (which does carry the risk of downtime, in addition to the fee), they advised that I issue the certificate using a different subdomain as the common name.

[chadwhitacre]

They cancelled the revocation request. I'm waiting for the cert to be issued (under workaround-startssl-limitation.gratipay.com, with gratipay.com and www.gratipay.com as alternates).

[chadwhitacre]

I just noticed that this domain belongs to Gratipay, LLC whereas the validated entity is Gittip, LLC. According to our policy we shouldn't issue this certificate.

Please review the Subscriber Obligations at https://www.startssl.com/policy.pdf in particular:

• Never obtain and use a certificate for a domain name and/or web site that belongs to a different entity other than the entity referenced in the certificate and the entity that has been validated, e.g. a validated individual may obtain certificates for domain names and/or web sites he/she owns, but not for other individuals or organization, even if allegedly authorized or requested. Likewise a validated organization shall not obtain a certificate for a domain and/or web sites belonging to another entity or third party.

Me:

Okay. We did rename Gittip, LLC to Gratipay, LLC. Tomorrow I'll go ahead and submit a new organization validation, and then proceed with the certificate request.

[chadwhitacre]

I started the verification process.

[chadwhitacre]

Extended validation reticketed as gratipay/inside.gratipay.com#144. Blocking this on that.

[chadwhitacre]

Extended validation got bogged down and I abandoned the attempt. Now we're blocking on non-extended validation. :-)

[chadwhitacre]

Looks like we're validated again at StartSSL. Now for the new cert ...

[chadwhitacre]

From @deltab in IRC:

$ openssl req -in server.csr -text

[chadwhitacre]

Is there a reason we can't use the CSR from a few weeks ago?

[chadwhitacre]

I submitted the CSR.

[chadwhitacre]

I used 2015-03-09.gratipay.com as the common name, with gratipay.com and www.gratipay.com as alternates.

[chadwhitacre]

Oops. We need a lot more alternate names, for all of our alternate domains. Current:

Here's the list from Heroku for comparison:

gittip.co
gittip.com
gittip.org
gratipay.co
gratipay.com
gratipay.herokuapp.com
gratipay.net
gratipay.org
www.gittip.co
www.gittip.com
www.gittip.org
www.gratipay.co
www.gratipay.com
www.gratipay.net
www.gratipay.org

We also need a separate cert for assets.gratipay.com.

[chadwhitacre]

So ... two new CSRs.

[chadwhitacre]

Boom! 🚀 Good look, @greggles. :-)

[chadwhitacre]

Process documented:

http://inside.gratipay.com/howto/install-an-ssl-certificate

[chadwhitacre]

Now:

• {www.,}{grtp,gttp}.co
• {assets,downloads}.gratipay.com

[greggles]

👍

[chadwhitacre]

CSRs submitted for CDN and widget server.

[chadwhitacre]

Certs are in hand!

[chadwhitacre]

I figured I'd configure DNS for alternate domains while I wait. I updated nameservers to DNSimple for all gratipay.com alternates. However, we have a 10 domain limit on our DNSimple plan, so I was not able to add gittip.co. I'm considering dropping giddip.com.

aspen.io
giddip.com
gittip.com
gittip.org
gratipay.co
gratipay.com
gratipay.net
gratipay.org
motivate.im
simplates.org

[chadwhitacre]

At some point I turned off autorenew for giddip.com, as well as giftip.org. I'm going to remove giddip.com from DNS.

[chadwhitacre]

Okay, giddip.com is gone from DNS, and I've configured ALIAS/CNAME to gratipay.com for the alternates that are actually configured in Heroku (#3160 (comment)).

[chadwhitacre]

I also removed the SPF record for gittip.com, since we shouldn't be sending mail from that domain anymore (we had been using it with Freshdesk).

[chadwhitacre]

To close this ticket I need to install the new CDN cert. I've reticketed widgets as gratipay/grtp.co#92.

[chadwhitacre]

Hangup at MaxCDN:

I used a subdomain to avoid having to ask for a revocation at StartSSL (per their advice). I don't see a "force" option in the MaxCDN UI. Maybe a delete and readd?

[chadwhitacre]

I was able to add a new cert, need to associate it with {assets,downloads}.

[chadwhitacre]

Cert installed for both subdomains and old cert deleted. Waiting for propagation ...

[chadwhitacre]

Drat. Chrome is picking up the new cert but it's not green. :-(

https://assets.gratipay.com/gratipay.svg

[chadwhitacre]

Skunked for tonight. Will revisit tomorrow ...

[chadwhitacre]

Still skunked. I inspected the cert using Chrome for both of these:

https://assets.gratipay.com/gratipay.svg
https://gratipay.com/assets/gratipay.svg

I can't see a meaningful difference.

[chadwhitacre]

Found it:

https://shaaaaaaaaaaaaa.com/check/gratipay.com

https://shaaaaaaaaaaaaa.com/check/assets.gratipay.com

Looks like a tip to @konklone is in order. :-)

[chadwhitacre]

As importantly, a 3-month window forces Google to make cert rotation operationally simple. This is the equivalent of Netflix's Chaos Monkey — forcing yourself to take entropy and change seriously by turning it from an emergency into the routine.

https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

[chadwhitacre]

BLAM!!!!!!!!!!

[konklone]

Looks like a tip to @konklone is in order. :-)

Tips always accepted. ^_^ Nice job getting this all done.

[chadwhitacre]

@konklone :-)

[captn3m0]

I am getting an SSL error for gratipay.com on Chrome+Linux

However, because of a bug in chrome, I don't know the root cause.

The website opens fine, and there are no errors in the console. This is the kind of error that I'd expect from sha1 certs, but that seems to have been fixed.

Will investigate further.

[techtonik]

Everything is fine here on Windoze + 41.0.2272.118 m

[konklone]

@captn3m0 Can you be more specific about versions? I'm on Chrome+Linux, and it looks fine for me.

Can you examine your browser trust store to see if StartCom's class 2 root is trusted at all?

[captn3m0]

This is weird. I didn't even restart my browser, and now the cert is green.

Version string is 43.0.2342.2 (Official Build) dev (64-bit).

[techtonik]

I don't know how Chrome updates itself, but I may guess that you could catch a moment when it updated resources, but didn't restarted the binary yet.

[chadwhitacre]

@captn3m0 Sounds like a dupe of #3278. tl;dr We're not targeting beta/dev browser versions. ;-)