How To flush my old cert from openssl

So Im changing hostnames on a live production platform within my business network.
Im changing it from OLDTEST.mydomain.tld to NEWLIVE.mydomain.tld

Ive re-configured my apache virtual directory in /etc/httpd/conf/httpd.comf

Ive got my hostname updated to NEWLIVE.mydomain.tld and configured /etc/hosts & conf.d

I also know I do NOT have the test.mydomain.tld in my validated .csr, .key & .crt files which are now mapped in httpd.conf and Ive deleted all traces of OLDTEST certs.

Im on Linux RHEL 5 running apache 2.2.3 w/ tomcat7
every time I startup services and goto browse https:// I ONLY get the OLDTEST cert

GOAL::
what am I missing to FLUSH OLDTEST and fully exclusively register NEWLIVE cert THX
JAaron AndersonProgramming Architect @ Widener UniversityAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
mod_ssl I think cached my previous cert OLDTEST perhaps somehow :(
0
PapertripCommented:
Have you completely stopped httpd (and confirmed) and restarted since the change?  This generally isn't necessary but I have to ask.
0
arnoldCommented:
Adding to the above, you mentioned you restart the service which should cover the earlier comment.
Make sure the ssl.conf you think is being used the right one
I.e. the virtualhosts entry that responds to the access has to be dentifies as that s where the certificate is.
If you have a load balancer, make sure the ssl connection does not terminate there as that is where the certificate is.  If you have a reverse proxy setup, than that is where the certificate is.
lsof -i:443 to see if the local server is listening for the connections and if it is it will tell you whether httpd or squid.
Etc.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

ahoffmannCommented:
> ... goto browse https:// I ONLY get the OLDTEST cert
can you please check you logfiles if this request really receives your new server (even virtualhost instance)
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>completely stopped httpd
service httpd stop
/usr/shared/tomcat7/bin/shutdown.sh
>> confirmed
yes I cant browse to the web solution tomcat/catalina     decompile   from my deployed package
>>restart httpd
service httpd start
/usr/shared/tomcat7/bin/startup.sh
>>lsof -i:443
      all I get is my cursor returned
>>If you have a reverse proxy setup, than that is where the certificate is.
      not sure how to confirm this

..................................

so you all got me thinking
I did a
# which openssl
it gives me :
/usr/bin/openssl
... this is not a directory but led me to find openssl.conf
 grep -i -r "openssl.conf" /usr/bin/
but it must be a binary I cant vi into it :(

is there other configs (other than blatant httpd) I should try to see if the artifact to OLDTEST cert is where the config rests and is being read in before my httpd mappings ?

thanks ahoffmann & arnold & Papertrip
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>can you please check you logfiles if this request really receives your new server
how would I tell ?
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I can tail /var/log/secure ... is that the log you want me to investigate ?
0
ahoffmannCommented:
> ... is that the log
I can't know ('cause no crystal ball handy :-)
you need to check your configuration for the path and filename of your access and error log
it may be something like
  /var/log/http*log
or
  /var/log/httpd/*log
or
  /var/log/apache/*log
or
  /var/log/apache2/*log
0
arnoldCommented:
first check whether the web server is actually listening on the secure port
lsof -i:443
if it does, it should tell you what user apache/httpd/squid.
Once you have that information you have to look at the apache configuration.
You have not included the Linux OS that you have Debian, ubuntu, RedHat/Centos, SUSE, etc. which is why ahoffmann provided the variations of where an apache log might be.
 /etc/httpd/conf/httpd.conf
/etc/apache2/conf/httpd.conf
without knowing which version of apache you are running, you may have /etc/apache/conf/httpd.conf

The problem I think is that you replaced the .crt file where you think it was being loaded from, but may have actually only replaced copies with the ones currently in use are in /etc/<VARIABLE see Prior>/conf.d/ssl.conf
it may refer to the certificates as being stored in /etc/pki/tls/certs (redHat/Centos).
The prior admin or whoever originally set it up, may have altered the location from which the certificates/keys will be loaded.

There is no quick answer I can give, i.e. look here.
You have to go on a treasure hunt to track down the information where the change needs to be made.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
btw
# rpm -qa openssl
openssl-0.9.8e-12.el5_5.7
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
RedHat RHEL 5
I figured Id try to uninstall thru yum and reinstall ?
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>replaced copies
whole new hostname...
whole new file set including new Trusted Root and different CA this time too :D
I have already did a rm -Rf on all old certs I new were associated with the earlier OLDTEST keystore in fact I now only have linked /etc/httpd/conf/httpd.conf to the NEWLIVE .key, .crt files now placed only in  /usr/lib/jvm/jre-1.6.0-openjdk/bin/java

perhaps theres a way to associate the -trustedcacerts command in keytool via openssl ?
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I found
/usr/lib/jvm/jre-1.6.0-openjdk/bin/java/httpd

vi error_log
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[notice] caught SIGTERM, shutting down
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
?
!!!!!! and BINGO pinpointed error !!!!!!!!!
vi MycustomJava_error_log  ##capturing all exceptions thrown
[client my.ip.add.ress ] client denied by server configuration: /usr/share/tomcat7/webapps/
 [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `OLDTEST.MyDomain.tld' does NOT match server name!?
0
arnoldCommented:
OK, so your tomcat/catalina was the SSL server.
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>OK, so your tomcat/catalina was the SSL server.
how do I know ?

... I used keytool (for native to tomcat) and that isnt where the native OpenSSL/Apache error stems from ?...

/etc/httpd/conf/httpd.conf

        DocumentRoot /usr/share/tomcat7/webapps
        ServerName hostname.widener.edu
        ServerAdmin admin@widener.edu
        ErrorLog /etc/httpd/logs/WPCSssl_error_log
        TransferLog /etc/httpd/logs/WPCSssl_access_log
        SSLEngine On
        SSLCertificateFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/my_intermediate.crt
        SSLCertificateKeyfile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/MY2048.key
        SSLCertificateChainFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/CertificateAuthority.crt
        RewriteCond %{HTTP_HOST} !^hostname\.widener\.edu$ [NC,OR]
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://hostname.widener.edu%{REQUEST_URI} [L,R]

... THUS apache I believe is driving some of all this...

but if it is Tomcat where do I check for its " cert caching" ?
0
arnoldCommented:
It is not caching, that is the information in the java store.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I thought you said that you do not have anything listening on port 443
lsof -i:443 (you have to have elevated rights to run this command)

using the keytool you would need to import the new cert into the store.


http://www.agentbob.info/agentbob/79-AB.html
openssl options to convert key/certificate formats
http://www.openssl.org/support/faq.html
0
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
just simply missed /etc/<VARIABLE see Prior>/conf.d/ssl.conf

viola
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.