Solved

How To flush my old cert from openssl

Posted on 2012-04-04
17
739 Views
Last Modified: 2012-04-05
So Im changing hostnames on a live production platform within my business network.
Im changing it from OLDTEST.mydomain.tld to NEWLIVE.mydomain.tld

Ive re-configured my apache virtual directory in /etc/httpd/conf/httpd.comf

Ive got my hostname updated to NEWLIVE.mydomain.tld and configured /etc/hosts & conf.d

I also know I do NOT have the test.mydomain.tld in my validated .csr, .key & .crt files which are now mapped in httpd.conf and Ive deleted all traces of OLDTEST certs.

Im on Linux RHEL 5 running apache 2.2.3 w/ tomcat7
every time I startup services and goto browse https:// I ONLY get the OLDTEST cert

GOAL::
what am I missing to FLUSH OLDTEST and fully exclusively register NEWLIVE cert THX
0
Comment
Question by:jandersonwidener
  • 10
  • 4
  • 2
  • +1
17 Comments
 

Author Comment

by:jandersonwidener
Comment Utility
mod_ssl I think cached my previous cert OLDTEST perhaps somehow :(
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
Have you completely stopped httpd (and confirmed) and restarted since the change?  This generally isn't necessary but I have to ask.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Adding to the above, you mentioned you restart the service which should cover the earlier comment.
Make sure the ssl.conf you think is being used the right one
I.e. the virtualhosts entry that responds to the access has to be dentifies as that s where the certificate is.
If you have a load balancer, make sure the ssl connection does not terminate there as that is where the certificate is.  If you have a reverse proxy setup, than that is where the certificate is.
lsof -i:443 to see if the local server is listening for the connections and if it is it will tell you whether httpd or squid.
Etc.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> ... goto browse https:// I ONLY get the OLDTEST cert
can you please check you logfiles if this request really receives your new server (even virtualhost instance)
0
 

Author Comment

by:jandersonwidener
Comment Utility
>>completely stopped httpd
service httpd stop
/usr/shared/tomcat7/bin/shutdown.sh
>> confirmed
yes I cant browse to the web solution tomcat/catalina     decompile   from my deployed package
>>restart httpd
service httpd start
/usr/shared/tomcat7/bin/startup.sh
>>lsof -i:443
      all I get is my cursor returned
>>If you have a reverse proxy setup, than that is where the certificate is.
      not sure how to confirm this

..................................

so you all got me thinking
I did a
# which openssl
it gives me :
/usr/bin/openssl
... this is not a directory but led me to find openssl.conf
 grep -i -r "openssl.conf" /usr/bin/
but it must be a binary I cant vi into it :(

is there other configs (other than blatant httpd) I should try to see if the artifact to OLDTEST cert is where the config rests and is being read in before my httpd mappings ?

thanks ahoffmann & arnold & Papertrip
0
 

Author Comment

by:jandersonwidener
Comment Utility
>>can you please check you logfiles if this request really receives your new server
how would I tell ?
0
 

Author Comment

by:jandersonwidener
Comment Utility
I can tail /var/log/secure ... is that the log you want me to investigate ?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> ... is that the log
I can't know ('cause no crystal ball handy :-)
you need to check your configuration for the path and filename of your access and error log
it may be something like
  /var/log/http*log
or
  /var/log/httpd/*log
or
  /var/log/apache/*log
or
  /var/log/apache2/*log
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
first check whether the web server is actually listening on the secure port
lsof -i:443
if it does, it should tell you what user apache/httpd/squid.
Once you have that information you have to look at the apache configuration.
You have not included the Linux OS that you have Debian, ubuntu, RedHat/Centos, SUSE, etc. which is why ahoffmann provided the variations of where an apache log might be.
 /etc/httpd/conf/httpd.conf
/etc/apache2/conf/httpd.conf
without knowing which version of apache you are running, you may have /etc/apache/conf/httpd.conf

The problem I think is that you replaced the .crt file where you think it was being loaded from, but may have actually only replaced copies with the ones currently in use are in /etc/<VARIABLE see Prior>/conf.d/ssl.conf
it may refer to the certificates as being stored in /etc/pki/tls/certs (redHat/Centos).
The prior admin or whoever originally set it up, may have altered the location from which the certificates/keys will be loaded.

There is no quick answer I can give, i.e. look here.
You have to go on a treasure hunt to track down the information where the change needs to be made.
0
 

Author Comment

by:jandersonwidener
Comment Utility
btw
# rpm -qa openssl
openssl-0.9.8e-12.el5_5.7
0
 

Author Comment

by:jandersonwidener
Comment Utility
RedHat RHEL 5
I figured Id try to uninstall thru yum and reinstall ?
0
 

Author Comment

by:jandersonwidener
Comment Utility
>>replaced copies
whole new hostname...
whole new file set including new Trusted Root and different CA this time too :D
I have already did a rm -Rf on all old certs I new were associated with the earlier OLDTEST keystore in fact I now only have linked /etc/httpd/conf/httpd.conf to the NEWLIVE .key, .crt files now placed only in  /usr/lib/jvm/jre-1.6.0-openjdk/bin/java

perhaps theres a way to associate the -trustedcacerts command in keytool via openssl ?
0
 

Author Comment

by:jandersonwidener
Comment Utility
I found
/usr/lib/jvm/jre-1.6.0-openjdk/bin/java/httpd

vi error_log
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[notice] caught SIGTERM, shutting down
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
?
!!!!!! and BINGO pinpointed error !!!!!!!!!
vi MycustomJava_error_log  ##capturing all exceptions thrown
[client my.ip.add.ress ] client denied by server configuration: /usr/share/tomcat7/webapps/
 [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `OLDTEST.MyDomain.tld' does NOT match server name!?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
OK, so your tomcat/catalina was the SSL server.
0
 

Author Comment

by:jandersonwidener
Comment Utility
>>OK, so your tomcat/catalina was the SSL server.
how do I know ?

... I used keytool (for native to tomcat) and that isnt where the native OpenSSL/Apache error stems from ?...
&
/etc/httpd/conf/httpd.conf

        DocumentRoot /usr/share/tomcat7/webapps
        ServerName hostname.widener.edu
        ServerAdmin admin@widener.edu
        ErrorLog /etc/httpd/logs/WPCSssl_error_log
        TransferLog /etc/httpd/logs/WPCSssl_access_log
        SSLEngine On
        SSLCertificateFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/my_intermediate.crt
        SSLCertificateKeyfile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/MY2048.key
        SSLCertificateChainFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/CertificateAuthority.crt
        RewriteCond %{HTTP_HOST} !^hostname\.widener\.edu$ [NC,OR]
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://hostname.widener.edu%{REQUEST_URI} [L,R]

... THUS apache I believe is driving some of all this...

but if it is Tomcat where do I check for its " cert caching" ?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
It is not caching, that is the information in the java store.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I thought you said that you do not have anything listening on port 443
lsof -i:443 (you have to have elevated rights to run this command)

using the keytool you would need to import the new cert into the store.


http://www.agentbob.info/agentbob/79-AB.html
openssl options to convert key/certificate formats
http://www.openssl.org/support/faq.html
0
 

Author Closing Comment

by:jandersonwidener
Comment Utility
just simply missed /etc/<VARIABLE see Prior>/conf.d/ssl.conf

viola
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now