Redbrick has a wildcard ssl cert for *.redbrick.dcu.ie, issued by The SSL Store/RapidSSL. It was purchased before LetsEncrypt supported wildcard certs and for the sake of the price paid is being kept in use until it expires.
At the time of writing, our cert deployment looks like so:
CertBot is set up on Azazel and Metharme, in
/local/usr/sbin. It is cron'd to run at 02:30 and 14:30
daily and log to
/var/log/le-renew.log. The Apache on Azazel is configured to use this cert
for redbrick.dcu.ie and azazel.redbrick.dcu.ie
For more configuration info on Certbot see here
The RapidSSL Cert
This should be on the grant app at the start of each year, in the past it has not been approved. The price is $149 for the year.
Rapidssl will email admins@rb about a month before the cert is due for renewal with instructions, this usually happens around April.
The cert was purchased through The SSL Store, credentials in pwsafe under "ssl".
- Key (.key): Used to sign the cert, generated locally
- Cert Signing Request (.csr): Used to request a cert from the CA for domain(s), Subject details what domains it will be requesting for
- Certificate (.crt/.cer): The actual certificate served to clients
- CA Bundle/Intermediate Cert (.crt/.cer/.pem): The cert issued by the CA to verify they issued it
- Other files (.p7b): Don't worry about these
Generating a CSR
NOTE: You most likely do not need to do this! These instructions exist in the event the key and csr are lost.
- Start generating a CSR with this command:
openssl req –new –newkey rsa:2048 –nodes –keyout redbrick.dcu.ie.key –out redbrick.dcu.ie.csr
- Enter the relevant information as prompted from the table below:
|Organization Name||Redbrick - DCU's Networking Society|
- Check your Subject line matches the one below:
/etc/apache2/ssl# openssl req -in redbrick.dcu.ie.csr -text -noout | grep Subject Subject: C=IE, ST=Dublin, L=Glasnevin, O=Redbrick - DCU's Networking Society, OU=SysAdmin, CN=*.redbrick.dcu.ie
- Keep the generated files safe and make sure they have an octal mode of "0500" or stricter
Requesting a new cert
- Proceed to The SSL Store Buy Page or similar and use the redbrick.dcu.ie.csr to request a new cert
- In order to verify ownership of the domain, The SSL Store will offer to email a link to
email@example.com. Last time this was tried it did not work, and we used DNS validation
instead. To do this:
- Select DNS verification on The SSL Store website
- Log into paphos and open up the bind config (
- Update the serial
- Add a TXT field with the requested hash from the SSL store
named-checkconf db.Redbrick.dcu.ieto test, and
service bind9 reloadto apply
dig @220.127.116.11 -t txt redbrick.dcu.ieand check the record is there
- Give it a few minutes and The SSL Store should pick it up
- Undo these changes
You cert should be active and you should have a
Download Certificate button on the Order Details page.
Updating the deployed certs
These steps are mostly from updating Metharme, but should apply to other hosts.
- Back up the relevant SSL folder like so
cd ssl_folder mkdir backup_$(date +'%F') cp * backup_$(date +'%F')/ ls -l backup_$(date +'%F') # There should be >= 4 files in here
- Download the certificate zip file from the SSL Store. This will contain a number of files:
|ZIP file name||SSL folder file name|
(Note: If you do not get an intermediate cert, you can download the RapidSSL wildcard intermediate SHA1 CA from here)
- Copy the files to the relevant places in the ssl folder
- Test the changes
doveconf | grep ssl
- Apply the changes
- Validate the changes
- Apache: here (make sure to test domains served by each apache)
openssl s_client -CApath /etc/ssl/certs/ -connect 18.104.22.168:993 2>/dev/null | grep -ie 'verify return code' -e rapidssl
- Delete the previous year's backup folder(s) (BE CAREFUL NOT TO DELETE YOUR OWN ONE)
If something goes wrong along the way just restore the old certs and call an old admin.