JAaron Anderson
asked on
How To flush my old cert from openssl
So Im changing hostnames on a live production platform within my business network.
Im changing it from OLDTEST.mydomain.tld to NEWLIVE.mydomain.tld
Ive re-configured my apache virtual directory in /etc/httpd/conf/httpd.comf
Ive got my hostname updated to NEWLIVE.mydomain.tld and configured /etc/hosts & conf.d
I also know I do NOT have the test.mydomain.tld in my validated .csr, .key & .crt files which are now mapped in httpd.conf and Ive deleted all traces of OLDTEST certs.
Im on Linux RHEL 5 running apache 2.2.3 w/ tomcat7
every time I startup services and goto browse https:// I ONLY get the OLDTEST cert
GOAL::
what am I missing to FLUSH OLDTEST and fully exclusively register NEWLIVE cert THX
Im changing it from OLDTEST.mydomain.tld to NEWLIVE.mydomain.tld
Ive re-configured my apache virtual directory in /etc/httpd/conf/httpd.comf
Ive got my hostname updated to NEWLIVE.mydomain.tld and configured /etc/hosts & conf.d
I also know I do NOT have the test.mydomain.tld in my validated .csr, .key & .crt files which are now mapped in httpd.conf and Ive deleted all traces of OLDTEST certs.
Im on Linux RHEL 5 running apache 2.2.3 w/ tomcat7
every time I startup services and goto browse https:// I ONLY get the OLDTEST cert
GOAL::
what am I missing to FLUSH OLDTEST and fully exclusively register NEWLIVE cert THX
Have you completely stopped httpd (and confirmed) and restarted since the change? This generally isn't necessary but I have to ask.
Adding to the above, you mentioned you restart the service which should cover the earlier comment.
Make sure the ssl.conf you think is being used the right one
I.e. the virtualhosts entry that responds to the access has to be dentifies as that s where the certificate is.
If you have a load balancer, make sure the ssl connection does not terminate there as that is where the certificate is. If you have a reverse proxy setup, than that is where the certificate is.
lsof -i:443 to see if the local server is listening for the connections and if it is it will tell you whether httpd or squid.
Etc.
Make sure the ssl.conf you think is being used the right one
I.e. the virtualhosts entry that responds to the access has to be dentifies as that s where the certificate is.
If you have a load balancer, make sure the ssl connection does not terminate there as that is where the certificate is. If you have a reverse proxy setup, than that is where the certificate is.
lsof -i:443 to see if the local server is listening for the connections and if it is it will tell you whether httpd or squid.
Etc.
> ... goto browse https:// I ONLY get the OLDTEST cert
can you please check you logfiles if this request really receives your new server (even virtualhost instance)
can you please check you logfiles if this request really receives your new server (even virtualhost instance)
ASKER
>>completely stopped httpd
service httpd stop
/usr/shared/tomcat7/bin/sh utdown.sh
>> confirmed
yes I cant browse to the web solution tomcat/catalina decompile from my deployed package
>>restart httpd
service httpd start
/usr/shared/tomcat7/bin/st artup.sh
>>lsof -i:443
all I get is my cursor returned
>>If you have a reverse proxy setup, than that is where the certificate is.
not sure how to confirm this
.......................... ........
so you all got me thinking
I did a
# which openssl
it gives me :
/usr/bin/openssl
... this is not a directory but led me to find openssl.conf
grep -i -r "openssl.conf" /usr/bin/
but it must be a binary I cant vi into it :(
is there other configs (other than blatant httpd) I should try to see if the artifact to OLDTEST cert is where the config rests and is being read in before my httpd mappings ?
thanks ahoffmann & arnold & Papertrip
service httpd stop
/usr/shared/tomcat7/bin/sh
>> confirmed
yes I cant browse to the web solution tomcat/catalina decompile from my deployed package
>>restart httpd
service httpd start
/usr/shared/tomcat7/bin/st
>>lsof -i:443
all I get is my cursor returned
>>If you have a reverse proxy setup, than that is where the certificate is.
not sure how to confirm this
..........................
so you all got me thinking
I did a
# which openssl
it gives me :
/usr/bin/openssl
... this is not a directory but led me to find openssl.conf
grep -i -r "openssl.conf" /usr/bin/
but it must be a binary I cant vi into it :(
is there other configs (other than blatant httpd) I should try to see if the artifact to OLDTEST cert is where the config rests and is being read in before my httpd mappings ?
thanks ahoffmann & arnold & Papertrip
ASKER
>>can you please check you logfiles if this request really receives your new server
how would I tell ?
how would I tell ?
ASKER
I can tail /var/log/secure ... is that the log you want me to investigate ?
> ... is that the log
I can't know ('cause no crystal ball handy :-)
you need to check your configuration for the path and filename of your access and error log
it may be something like
/var/log/http*log
or
/var/log/httpd/*log
or
/var/log/apache/*log
or
/var/log/apache2/*log
I can't know ('cause no crystal ball handy :-)
you need to check your configuration for the path and filename of your access and error log
it may be something like
/var/log/http*log
or
/var/log/httpd/*log
or
/var/log/apache/*log
or
/var/log/apache2/*log
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
btw
# rpm -qa openssl
openssl-0.9.8e-12.el5_5.7
# rpm -qa openssl
openssl-0.9.8e-12.el5_5.7
ASKER
RedHat RHEL 5
I figured Id try to uninstall thru yum and reinstall ?
I figured Id try to uninstall thru yum and reinstall ?
ASKER
>>replaced copies
whole new hostname...
whole new file set including new Trusted Root and different CA this time too :D
I have already did a rm -Rf on all old certs I new were associated with the earlier OLDTEST keystore in fact I now only have linked /etc/httpd/conf/httpd.conf to the NEWLIVE .key, .crt files now placed only in /usr/lib/jvm/jre-1.6.0-ope njdk/bin/j ava
perhaps theres a way to associate the -trustedcacerts command in keytool via openssl ?
whole new hostname...
whole new file set including new Trusted Root and different CA this time too :D
I have already did a rm -Rf on all old certs I new were associated with the earlier OLDTEST keystore in fact I now only have linked /etc/httpd/conf/httpd.conf
perhaps theres a way to associate the -trustedcacerts command in keytool via openssl ?
ASKER
I found
/usr/lib/jvm/jre-1.6.0-ope njdk/bin/j ava/httpd
vi error_log
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[notice] caught SIGTERM, shutting down
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
?
!!!!!! and BINGO pinpointed error !!!!!!!!!
vi MycustomJava_error_log ##capturing all exceptions thrown
[client my.ip.add.ress ] client denied by server configuration: /usr/share/tomcat7/webapps /
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `OLDTEST.MyDomain.tld' does NOT match server name!?
/usr/lib/jvm/jre-1.6.0-ope
vi error_log
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[notice] caught SIGTERM, shutting down
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
?
!!!!!! and BINGO pinpointed error !!!!!!!!!
vi MycustomJava_error_log ##capturing all exceptions thrown
[client my.ip.add.ress ] client denied by server configuration: /usr/share/tomcat7/webapps
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `OLDTEST.MyDomain.tld' does NOT match server name!?
OK, so your tomcat/catalina was the SSL server.
ASKER
>>OK, so your tomcat/catalina was the SSL server.
how do I know ?
... I used keytool (for native to tomcat) and that isnt where the native OpenSSL/Apache error stems from ?...
&
/etc/httpd/conf/httpd.conf
DocumentRoot /usr/share/tomcat7/webapps
ServerName hostname.widener.edu
ServerAdmin admin@widener.edu
ErrorLog /etc/httpd/logs/WPCSssl_er ror_log
TransferLog /etc/httpd/logs/WPCSssl_ac cess_log
SSLEngine On
SSLCertificateFile /usr/lib/jvm/jre-1.6.0-ope njdk/lib/s ecurity/my _intermedi ate.crt
SSLCertificateKeyfile /usr/lib/jvm/jre-1.6.0-ope njdk/lib/s ecurity/MY 2048.key
SSLCertificateChainFile /usr/lib/jvm/jre-1.6.0-ope njdk/lib/s ecurity/Ce rtificateA uthority.c rt
RewriteCond %{HTTP_HOST} !^hostname\.widener\.edu$ [NC,OR]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://hostname.widener.edu%{REQUEST_URI} [L,R]
... THUS apache I believe is driving some of all this...
but if it is Tomcat where do I check for its " cert caching" ?
how do I know ?
... I used keytool (for native to tomcat) and that isnt where the native OpenSSL/Apache error stems from ?...
&
/etc/httpd/conf/httpd.conf
DocumentRoot /usr/share/tomcat7/webapps
ServerName hostname.widener.edu
ServerAdmin admin@widener.edu
ErrorLog /etc/httpd/logs/WPCSssl_er
TransferLog /etc/httpd/logs/WPCSssl_ac
SSLEngine On
SSLCertificateFile /usr/lib/jvm/jre-1.6.0-ope
SSLCertificateKeyfile /usr/lib/jvm/jre-1.6.0-ope
SSLCertificateChainFile /usr/lib/jvm/jre-1.6.0-ope
RewriteCond %{HTTP_HOST} !^hostname\.widener\.edu$ [NC,OR]
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://hostname.widener.edu%{REQUEST_URI} [L,R]
... THUS apache I believe is driving some of all this...
but if it is Tomcat where do I check for its " cert caching" ?
It is not caching, that is the information in the java store.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
I thought you said that you do not have anything listening on port 443
lsof -i:443 (you have to have elevated rights to run this command)
using the keytool you would need to import the new cert into the store.
http://www.agentbob.info/agentbob/79-AB.html
openssl options to convert key/certificate formats
http://www.openssl.org/support/faq.html
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
I thought you said that you do not have anything listening on port 443
lsof -i:443 (you have to have elevated rights to run this command)
using the keytool you would need to import the new cert into the store.
http://www.agentbob.info/agentbob/79-AB.html
openssl options to convert key/certificate formats
http://www.openssl.org/support/faq.html
ASKER
just simply missed /etc/<VARIABLE see Prior>/conf.d/ssl.conf
viola
viola
ASKER