Appearance
SSL: Domain & Subdomains
General Information
Here is a list of relevant SSL information for websites in production & staging environments.
Production
- Domain:
- interaction-design.org ("www." CNAME alias included)
- CDN:
- *.interaction-design.org - Amazon Issued Certificate
Staging
- Domain/Subdomain:
- *.ixdf.dev
- CDN:
- Uses the default domain from AWS.
Troubleshooting Certificates
In order to fix any SSL issue, it’s a must-determine what is causing the problem. This is a short-list of commands to help in such checks.
Check certificate information
To check a certificate information, simply run:
text
curl -I -v https://<domain>output (expected):
text
➜ web git:(develop) ✗ curl -I -v https://www.interaction-design.org
[...]
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
### Certificate Owner Information ###
* Server certificate:
* subject: businessCategory=Private Organization;
jurisdictionC=DK; serialNumber=34456496; C=DK;
ST=Midtjylland; L=Aarhus N;
O=The Interaction Design Foundation ApS; OU=IT;
CN=www.interaction-design.org
* start date: Jun 21 00:00:00 2018 GMT # <-- Always check dates
* expire date: Sep 23 00:00:00 2020 GMT # <-- Always check dates
* subjectAltName: host "interaction-design.org" matched cert’s "interaction-design.org"
### Certificate Issuer Information ###
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com;
CN=DigiCert SHA2 Extended Validation Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
[...]Common Fixes
Problem in auto-renewal process
By default, we rely on scheduled jobs to handle the certificate renewal for both our production and staging servers. To view these jobs, you can access the Forge admin panel and navigate to the Scheduler section.
Make sure there is an active job with the appropriate frequency and with following command:
textcertbot renew --config-dir=/etc/letsencrypt --logs-dir=/home/forge/.letsencrypt/ --force-renewBelow you can see an example in our production server:
Ensure that Certbot is installed on the server, as it is the tool we use for creating and renewing SSL certificates. To verify its installation, you can SSH into the servers and run the command
certbot --version. If Certbot is not installed, you can refer to this guide for instructions on how to proceed.
Certificate Not Installed
Lets Encrypt Certificates
On "Site Details" tab in Forge (load balancer, click in "LetsEncrypt" button. It should generate an SSL. Make sure you have a valid domain/sub-domain, otherwise certificate request will fail.
Check if nginx config contain the certificate path declared inside
server { ... }block:text# FORGE SSL (DO NOT REMOVE!) ssl_certificate /etc/nginx/ssl/<domain>/<cert-id>/server.crt; ssl_certificate_key /etc/nginx/ssl/<domain>/<cert-id>/server.key;
Others) - Follow instructions provided by the Certificate Authority. All of them provide details to install, re-issue and deliver certificates in most common setups: nginx, httpd, tomcat, apache.
Invalid Date (expired)
Amazon Issues Certificates (CDNs)
ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This includes both public and private certificates issued by using ACM. If possible, ACM renews your certificates automatically with no action required from you. A certificate is eligible for renewal if it is associated with another AWS service, such as Elastic Load Balancing or CloudFront, or if it has been exported since being issued or last renewed.
Find out more at https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html
Lets Encrypt Certificates
- Renew using Forge UI.
- Check if nginx config contain the certificate path declared inside
server { ... }block:
text
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/<domain>/<cert-id>/server.crt;
ssl_certificate_key /etc/nginx/ssl/<domain>/<cert-id>/server.key;Still having problems? Contact @ops-team at Slack for further investigation.