This project was abandoned because I went in a different direction.
I am working on better securing my server from all these attacks. So I decided I would recreate a root certificate authority and then an intermediate. My web sites use Godaddy certificates because they are accessed from the internet. Those certificates are on SSL Deep Inspection.
I created two servers called rootca.scsiraidguru.local and interca.scsiraidguru.local.
I followed the link above and build my two CAs and did the chains. I migrated both to p7b files for Windows to use. I added them into their respective certificate folders. Both certificates are OK. My next project is the certificate for MariaDB.
I created two servers rootca and interca. I fully patched both servers. Sudo apt-get update Sudo apt-get dist-upgrade
Edit /etc/hosts and supply ip, FQDN, and name for both servers on each one. Check hostname and hostname -f to make sure they are configured correctly. sudo reboot and autoclean/autoremove them.
Install ntp and configure it
sudo apt-get install ntp
/etc/ntp.conf interface listen IPv4 server ntp.ubuntu.com server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org server 3.us.pool.ntp.org
Remove the IPv6 entries.
sudo /etc/init.d/ntp restart or sudo reboot
ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 0.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000 1.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000 2.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000 3.ubuntu.pool.n .POOL. 16 p – 64 0 0.000 0.000 0.000 ntp.ubuntu.com .POOL. 16 p – 64 0 0.000 0.000 0.000 alphyn.canonica .INIT. 16 u – 1024 0 0.000 0.000 0.000 clock.trit.net .INIT. 16 u – 1024 0 0.000 0.000 0.000 eterna.binary.n .INIT. 16 u – 1024 0 0.000 0.000 0.000 tock.eoni.com .INIT. 16 u – 1024 0 0.000 0.000 0.000 138.68.46.177 ( .INIT. 16 u – 1024 0 0.000 0.000 0.000
ntpq -p refuses connection you have a conflict.
sudo systemctl show ntp.service | grep Conflicts Conflicts=shutdown.target systemd-timesyncd.service
sudo systemctl status systemd-timesyncd.service systemd-timesyncd.service – Network Time Synchronization Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2019-07-12 05:17:21 UTC; 18min ago
cd /root/ca cat intermediate/certs/int.scsiraidguru.crt.pem certs/ca.scsiraidguru.crt.pem > intermediate/certs/chain.scsiraidguru.crt.pem
When you are done you have:
root CA key: /root/ca/private/ca.scsiraidguru.key.pem root CA certificate: /root/ca/certs/ca.scsiraidguru.crt.pem
intermediate CA key: /root/ca/intermediate/private/int.scsiraidguru.key.pem Intermediate CA certificate: /root/ca/intermediate/certs/int.scsiraidguru.crt.pem
Chain of Root CA and Intermediate CA certificates: /root/ca/intermediate/certs/chain.scsiraidguru.crt.pem
# Convert PEM to P7B : Windows don’t like PEM files. You want to test it convert them to P7B files.