Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1265
  • Last Modified:

ssl certificate expired warning message

We have a apache http server running on our local network.
when connecting to it i get a "certificate expired" warning message.
when i ignore the warning and view the certificate it shows it is valid from oct 2008 to oct 2011.

when i ssh to the linyx box that is running the apache server and check the certificate with "openssl x509 -in /etc/usr/apache2/conf/cert.crt -fingerprint - text" it shows up with the right date as well.

the certificate has been updated recently, i have done a software as well as a hardware restart.
but the problem persists.
could the previous certificate be cached somewhere? or is this a browser problem? or maybe something completely different.
0
southwave
Asked:
southwave
  • 8
  • 6
3 Solutions
 
James LooneySr. Programmer/AnalystCommented:
When you get the error, are you using the same domain name as the certificate was generated for? If there is a mismatch there, it can throw errors.
0
 
southwaveAuthor Commented:
The certificate is issued to an ip, and is only open to the local network.
when opening the browser while connected to this local network you will automatically be redirected to the ip of the webserver (172.16.16.1)
after you log on to this website you can browse the internet. (and that is where you get the "expired" warning message.
0
 
James LooneySr. Programmer/AnalystCommented:
Did you build this system yourself (the login before you can browse the internet system) or is it a third-party application?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
southwaveAuthor Commented:
i honoustly couldnt tell you, i have no built it and have no idea how to check who did.
my guess is apache is set up as a secure proxy in some way.

either way the problem began when the certificate expired and i renewed it (which is pretty straight forward)
after that not resolving the "expired warning" i reissued the certificate, which also did not help.

so i was wondering if apache caches the certificate somewhere (could not find anything in the httpd.conf) or if this might be a browser related issue (so far all browsers i tried give the warning though)

also when renewing the certificate i had to rename the certificate files to the filenames used in the httpd.conf (triple checked for spelling errors) i dont know if this might cause a problem.

i know my way around apache pretty well (at least i thought so) but never had any problems with certificates.
i have been working on this for 2 weeks non stop now and it is really starting to get to me.

any help is appreciated.

0
 
James LooneySr. Programmer/AnalystCommented:
Oh yeah, that is annoying as heck.

Well let's see. All the things you mention could certainly make a difference.

First, after installing the new certificate, did you fully stop and then start apache?
commands:
apachectl stop;
apachectl start;

Second, did you install the certificates in the same directory as the old ones (overwrite the old ones)?
If not, did you adjust the directory paths in httpd.conf?
0
 
southwaveAuthor Commented:
i tried a software as well as a hardware restart.
and i backed up the old certificates before putting the new ones in,
triple checked the links in the httpd.conf
0
 
James LooneySr. Programmer/AnalystCommented:
Dang. Well, hmmm. And nothing else has changed - ip used, other software changes to the server, etc? Only the new certs?

If so, the only thing I can think of is that the certs were generated with different info than the previous ones. Can you verify the contents of the old certs as well as the new certs?
0
 
southwaveAuthor Commented:
nothing in the setup has changed.

and i have used the "openssl req -new -newkey rsa:2048..." etc command  to generate a new csr file and then reissued the certificate.

copied the .key file to the right place as well.
0
 
James LooneySr. Programmer/AnalystCommented:
Sorry, I'm just not sure w/o being able to sit down at the console and do some digging. Hopefully someone else will have an "aha!" moment and post some further help.
0
 
southwaveAuthor Commented:
well thanks for your help anyway :)
0
 
southwaveAuthor Commented:
after setting up a local test system with a spare box i have here i noticed that the date on the certificate has now changed.

it says it is valid from the start date of the old certificate and ends at the end date of the new certificate.
which makes me believe it reads from both the old and the new certificate.
0
 
James LooneySr. Programmer/AnalystCommented:
Wow. That sounds fun. :)

Let's see, some browsers hang onto some certificate information (so that you won't get those annoying popups each time). So, maybe check to see if that is the case.

I'll assume you are using Internet Explorer, Look on this page for "Installing and Removing Trusted Certificates" and it'll tell you how to remove cert info from the browser:  http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6rk.mspx?mfr=true
0
 
ParanormasticCryptographic EngineerCommented:
Check to see if there might also be a file ssl.conf if you use virtual hosts.
Here is a generalized walkthrough on how to install the cert - make sure there aren't remnants of the old one hanging aroud in there.
http://www.digicert.com/ssl-certificate-installation-apache.htm

On the client browser (assuming IE here) - internet options - content - clear ssl state - close all open browsers and try again.
0
 
southwaveAuthor Commented:
i have used a fresh image to create a new box for testing purposes.
copied the new certificates over to replicate the problem i was having.
somehow on the new box it works perfectly.

used the new box to create a new image, and copied the new image to the old box.
all is working fine now.

Thanks alot for the help.
0
 
southwaveAuthor Commented:
I have given points because the help i got was really good, even though it did not produce a solution.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now