Solved

How To flush my old cert from openssl

Posted on 2012-04-04
17
748 Views
Last Modified: 2012-04-05
So Im changing hostnames on a live production platform within my business network.
Im changing it from OLDTEST.mydomain.tld to NEWLIVE.mydomain.tld

Ive re-configured my apache virtual directory in /etc/httpd/conf/httpd.comf

Ive got my hostname updated to NEWLIVE.mydomain.tld and configured /etc/hosts & conf.d

I also know I do NOT have the test.mydomain.tld in my validated .csr, .key & .crt files which are now mapped in httpd.conf and Ive deleted all traces of OLDTEST certs.

Im on Linux RHEL 5 running apache 2.2.3 w/ tomcat7
every time I startup services and goto browse https:// I ONLY get the OLDTEST cert

GOAL::
what am I missing to FLUSH OLDTEST and fully exclusively register NEWLIVE cert THX
0
Comment
Question by:jandersonwidener
  • 10
  • 4
  • 2
  • +1
17 Comments
 

Author Comment

by:jandersonwidener
ID: 37808356
mod_ssl I think cached my previous cert OLDTEST perhaps somehow :(
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37809245
Have you completely stopped httpd (and confirmed) and restarted since the change?  This generally isn't necessary but I have to ask.
0
 
LVL 78

Expert Comment

by:arnold
ID: 37809293
Adding to the above, you mentioned you restart the service which should cover the earlier comment.
Make sure the ssl.conf you think is being used the right one
I.e. the virtualhosts entry that responds to the access has to be dentifies as that s where the certificate is.
If you have a load balancer, make sure the ssl connection does not terminate there as that is where the certificate is.  If you have a reverse proxy setup, than that is where the certificate is.
lsof -i:443 to see if the local server is listening for the connections and if it is it will tell you whether httpd or squid.
Etc.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37809575
> ... goto browse https:// I ONLY get the OLDTEST cert
can you please check you logfiles if this request really receives your new server (even virtualhost instance)
0
 

Author Comment

by:jandersonwidener
ID: 37812326
>>completely stopped httpd
service httpd stop
/usr/shared/tomcat7/bin/shutdown.sh
>> confirmed
yes I cant browse to the web solution tomcat/catalina     decompile   from my deployed package
>>restart httpd
service httpd start
/usr/shared/tomcat7/bin/startup.sh
>>lsof -i:443
      all I get is my cursor returned
>>If you have a reverse proxy setup, than that is where the certificate is.
      not sure how to confirm this

..................................

so you all got me thinking
I did a
# which openssl
it gives me :
/usr/bin/openssl
... this is not a directory but led me to find openssl.conf
 grep -i -r "openssl.conf" /usr/bin/
but it must be a binary I cant vi into it :(

is there other configs (other than blatant httpd) I should try to see if the artifact to OLDTEST cert is where the config rests and is being read in before my httpd mappings ?

thanks ahoffmann & arnold & Papertrip
0
 

Author Comment

by:jandersonwidener
ID: 37812342
>>can you please check you logfiles if this request really receives your new server
how would I tell ?
0
 

Author Comment

by:jandersonwidener
ID: 37812354
I can tail /var/log/secure ... is that the log you want me to investigate ?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37812375
> ... is that the log
I can't know ('cause no crystal ball handy :-)
you need to check your configuration for the path and filename of your access and error log
it may be something like
  /var/log/http*log
or
  /var/log/httpd/*log
or
  /var/log/apache/*log
or
  /var/log/apache2/*log
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 37812457
first check whether the web server is actually listening on the secure port
lsof -i:443
if it does, it should tell you what user apache/httpd/squid.
Once you have that information you have to look at the apache configuration.
You have not included the Linux OS that you have Debian, ubuntu, RedHat/Centos, SUSE, etc. which is why ahoffmann provided the variations of where an apache log might be.
 /etc/httpd/conf/httpd.conf
/etc/apache2/conf/httpd.conf
without knowing which version of apache you are running, you may have /etc/apache/conf/httpd.conf

The problem I think is that you replaced the .crt file where you think it was being loaded from, but may have actually only replaced copies with the ones currently in use are in /etc/<VARIABLE see Prior>/conf.d/ssl.conf
it may refer to the certificates as being stored in /etc/pki/tls/certs (redHat/Centos).
The prior admin or whoever originally set it up, may have altered the location from which the certificates/keys will be loaded.

There is no quick answer I can give, i.e. look here.
You have to go on a treasure hunt to track down the information where the change needs to be made.
0
 

Author Comment

by:jandersonwidener
ID: 37812459
btw
# rpm -qa openssl
openssl-0.9.8e-12.el5_5.7
0
 

Author Comment

by:jandersonwidener
ID: 37812465
RedHat RHEL 5
I figured Id try to uninstall thru yum and reinstall ?
0
 

Author Comment

by:jandersonwidener
ID: 37812491
>>replaced copies
whole new hostname...
whole new file set including new Trusted Root and different CA this time too :D
I have already did a rm -Rf on all old certs I new were associated with the earlier OLDTEST keystore in fact I now only have linked /etc/httpd/conf/httpd.conf to the NEWLIVE .key, .crt files now placed only in  /usr/lib/jvm/jre-1.6.0-openjdk/bin/java

perhaps theres a way to associate the -trustedcacerts command in keytool via openssl ?
0
 

Author Comment

by:jandersonwidener
ID: 37812532
I found
/usr/lib/jvm/jre-1.6.0-openjdk/bin/java/httpd

vi error_log
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[notice] caught SIGTERM, shutting down
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
?
!!!!!! and BINGO pinpointed error !!!!!!!!!
vi MycustomJava_error_log  ##capturing all exceptions thrown
[client my.ip.add.ress ] client denied by server configuration: /usr/share/tomcat7/webapps/
 [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `OLDTEST.MyDomain.tld' does NOT match server name!?
0
 
LVL 78

Expert Comment

by:arnold
ID: 37812766
OK, so your tomcat/catalina was the SSL server.
0
 

Author Comment

by:jandersonwidener
ID: 37813857
>>OK, so your tomcat/catalina was the SSL server.
how do I know ?

... I used keytool (for native to tomcat) and that isnt where the native OpenSSL/Apache error stems from ?...

/etc/httpd/conf/httpd.conf

        DocumentRoot /usr/share/tomcat7/webapps
        ServerName hostname.widener.edu
        ServerAdmin admin@widener.edu
        ErrorLog /etc/httpd/logs/WPCSssl_error_log
        TransferLog /etc/httpd/logs/WPCSssl_access_log
        SSLEngine On
        SSLCertificateFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/my_intermediate.crt
        SSLCertificateKeyfile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/MY2048.key
        SSLCertificateChainFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/CertificateAuthority.crt
        RewriteCond %{HTTP_HOST} !^hostname\.widener\.edu$ [NC,OR]
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://hostname.widener.edu%{REQUEST_URI} [L,R]

... THUS apache I believe is driving some of all this...

but if it is Tomcat where do I check for its " cert caching" ?
0
 
LVL 78

Expert Comment

by:arnold
ID: 37813899
It is not caching, that is the information in the java store.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I thought you said that you do not have anything listening on port 443
lsof -i:443 (you have to have elevated rights to run this command)

using the keytool you would need to import the new cert into the store.


http://www.agentbob.info/agentbob/79-AB.html
openssl options to convert key/certificate formats
http://www.openssl.org/support/faq.html
0
 

Author Closing Comment

by:jandersonwidener
ID: 37814024
just simply missed /etc/<VARIABLE see Prior>/conf.d/ssl.conf

viola
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange 2010 turning off 3des ciphers 2 420
Disable SSLv3.0/TLSv1.0 - Windows 2012R2 3 64
Redirect 301 from one address  to another 5 42
Secure log in 'box' 4 8
Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question