I had to renew my SSL certs for this site, so while doing so I upgraded and addressed a few other issues.
First, apparently when I deployed the SSL certs last time I missed out some of the root certs in the chain. The vendor I used gives you each of the root certs individually and you need to manually concatenate them together yourself. More in another post on the steps I too to do this.
Since certs are part of my nginx Docker image, I rebuilt my image upgrading everything to latest versions. Since it was a also a couple of years since I last did this, I also had to go back through my posts here to work out the steps I took to deploy last time. I’ll post another update on the steps I took for this also later.
When you concatenated your SSL .crt intermediate and root certs together, it’s likely you ended up with lines line this:
—–END CERTIFICATE———-BEGIN CERTIFICATE—–
To fix this, manually edit to insert a newline between the end and begin like this, and you should be all set:
My first 1 year free SSL certificate with StartSSL is about to expire this month, so time to renew for another year. At this point last year I wasn’t sure what would happen at this point 1 year later, but appears you just apply for another new certificate, and then replace it on the servers where you are using it.
However, once I had requested my new certificate and uploaded it to my OpenShift account, Chrome blocked access to my site with a ‘certificate revoked’ error. I bit of digging turned up this article. Due to a number of security related issues with the Certificate Authority WoSign and later their undisclosed purchase of StartCom/StartSSL, it appears use of certificates from either of these companies are now blocked on all Apple products if issued after Jan 1st 2017, and also on Firefox and Chrome too. More info on Wikipedia here, and Mozilla here and here.
SSL certificates are relative inexpensive, but there’s a number of organizations that are starting to offer certs for free – Let’s Encrypt is one. Their approach requires a script to renew your cert every 90 days. In some hosted environments however it might not be possible to run such a script.
For OpenShift hosted apps, you can both assign your own domain name to an application, and also import an SSL cert. See instructions here. Since it’s currently not possible to run a script like what Let’s Encrypt uses (see SO post here), certs from other organizations are more easily imported. StartCom is offering free SSL certs for 1 year, after which presumably you renew for another year.
Depending on what you are hosting, you may need to find and replace any hardcoded references to content loaded via http instead of https (to avoid ‘mixed content’ warnings in your browser). Once you’ve done this though, you get a shiny new green SSL padlock on your site!