[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 787
  • Last Modified:

How To flush my old cert from openssl

So Im changing hostnames on a live production platform within my business network.
Im changing it from OLDTEST.mydomain.tld to NEWLIVE.mydomain.tld

Ive re-configured my apache virtual directory in /etc/httpd/conf/httpd.comf

Ive got my hostname updated to NEWLIVE.mydomain.tld and configured /etc/hosts & conf.d

I also know I do NOT have the test.mydomain.tld in my validated .csr, .key & .crt files which are now mapped in httpd.conf and Ive deleted all traces of OLDTEST certs.

Im on Linux RHEL 5 running apache 2.2.3 w/ tomcat7
every time I startup services and goto browse https:// I ONLY get the OLDTEST cert

GOAL::
what am I missing to FLUSH OLDTEST and fully exclusively register NEWLIVE cert THX
0
JAaron Anderson
Asked:
JAaron Anderson
  • 10
  • 4
  • 2
  • +1
1 Solution
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
mod_ssl I think cached my previous cert OLDTEST perhaps somehow :(
0
 
PapertripCommented:
Have you completely stopped httpd (and confirmed) and restarted since the change?  This generally isn't necessary but I have to ask.
0
 
arnoldCommented:
Adding to the above, you mentioned you restart the service which should cover the earlier comment.
Make sure the ssl.conf you think is being used the right one
I.e. the virtualhosts entry that responds to the access has to be dentifies as that s where the certificate is.
If you have a load balancer, make sure the ssl connection does not terminate there as that is where the certificate is.  If you have a reverse proxy setup, than that is where the certificate is.
lsof -i:443 to see if the local server is listening for the connections and if it is it will tell you whether httpd or squid.
Etc.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
ahoffmannCommented:
> ... goto browse https:// I ONLY get the OLDTEST cert
can you please check you logfiles if this request really receives your new server (even virtualhost instance)
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>completely stopped httpd
service httpd stop
/usr/shared/tomcat7/bin/shutdown.sh
>> confirmed
yes I cant browse to the web solution tomcat/catalina     decompile   from my deployed package
>>restart httpd
service httpd start
/usr/shared/tomcat7/bin/startup.sh
>>lsof -i:443
      all I get is my cursor returned
>>If you have a reverse proxy setup, than that is where the certificate is.
      not sure how to confirm this

..................................

so you all got me thinking
I did a
# which openssl
it gives me :
/usr/bin/openssl
... this is not a directory but led me to find openssl.conf
 grep -i -r "openssl.conf" /usr/bin/
but it must be a binary I cant vi into it :(

is there other configs (other than blatant httpd) I should try to see if the artifact to OLDTEST cert is where the config rests and is being read in before my httpd mappings ?

thanks ahoffmann & arnold & Papertrip
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>can you please check you logfiles if this request really receives your new server
how would I tell ?
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I can tail /var/log/secure ... is that the log you want me to investigate ?
0
 
ahoffmannCommented:
> ... is that the log
I can't know ('cause no crystal ball handy :-)
you need to check your configuration for the path and filename of your access and error log
it may be something like
  /var/log/http*log
or
  /var/log/httpd/*log
or
  /var/log/apache/*log
or
  /var/log/apache2/*log
0
 
arnoldCommented:
first check whether the web server is actually listening on the secure port
lsof -i:443
if it does, it should tell you what user apache/httpd/squid.
Once you have that information you have to look at the apache configuration.
You have not included the Linux OS that you have Debian, ubuntu, RedHat/Centos, SUSE, etc. which is why ahoffmann provided the variations of where an apache log might be.
 /etc/httpd/conf/httpd.conf
/etc/apache2/conf/httpd.conf
without knowing which version of apache you are running, you may have /etc/apache/conf/httpd.conf

The problem I think is that you replaced the .crt file where you think it was being loaded from, but may have actually only replaced copies with the ones currently in use are in /etc/<VARIABLE see Prior>/conf.d/ssl.conf
it may refer to the certificates as being stored in /etc/pki/tls/certs (redHat/Centos).
The prior admin or whoever originally set it up, may have altered the location from which the certificates/keys will be loaded.

There is no quick answer I can give, i.e. look here.
You have to go on a treasure hunt to track down the information where the change needs to be made.
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
btw
# rpm -qa openssl
openssl-0.9.8e-12.el5_5.7
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
RedHat RHEL 5
I figured Id try to uninstall thru yum and reinstall ?
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>replaced copies
whole new hostname...
whole new file set including new Trusted Root and different CA this time too :D
I have already did a rm -Rf on all old certs I new were associated with the earlier OLDTEST keystore in fact I now only have linked /etc/httpd/conf/httpd.conf to the NEWLIVE .key, .crt files now placed only in  /usr/lib/jvm/jre-1.6.0-openjdk/bin/java

perhaps theres a way to associate the -trustedcacerts command in keytool via openssl ?
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I found
/usr/lib/jvm/jre-1.6.0-openjdk/bin/java/httpd

vi error_log
[notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[notice] caught SIGTERM, shutting down
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
?
!!!!!! and BINGO pinpointed error !!!!!!!!!
vi MycustomJava_error_log  ##capturing all exceptions thrown
[client my.ip.add.ress ] client denied by server configuration: /usr/share/tomcat7/webapps/
 [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `OLDTEST.MyDomain.tld' does NOT match server name!?
0
 
arnoldCommented:
OK, so your tomcat/catalina was the SSL server.
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>OK, so your tomcat/catalina was the SSL server.
how do I know ?

... I used keytool (for native to tomcat) and that isnt where the native OpenSSL/Apache error stems from ?...

/etc/httpd/conf/httpd.conf

        DocumentRoot /usr/share/tomcat7/webapps
        ServerName hostname.widener.edu
        ServerAdmin admin@widener.edu
        ErrorLog /etc/httpd/logs/WPCSssl_error_log
        TransferLog /etc/httpd/logs/WPCSssl_access_log
        SSLEngine On
        SSLCertificateFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/my_intermediate.crt
        SSLCertificateKeyfile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/MY2048.key
        SSLCertificateChainFile /usr/lib/jvm/jre-1.6.0-openjdk/lib/security/CertificateAuthority.crt
        RewriteCond %{HTTP_HOST} !^hostname\.widener\.edu$ [NC,OR]
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^.*$ https://hostname.widener.edu%{REQUEST_URI} [L,R]

... THUS apache I believe is driving some of all this...

but if it is Tomcat where do I check for its " cert caching" ?
0
 
arnoldCommented:
It is not caching, that is the information in the java store.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I thought you said that you do not have anything listening on port 443
lsof -i:443 (you have to have elevated rights to run this command)

using the keytool you would need to import the new cert into the store.


http://www.agentbob.info/agentbob/79-AB.html
openssl options to convert key/certificate formats
http://www.openssl.org/support/faq.html
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
just simply missed /etc/<VARIABLE see Prior>/conf.d/ssl.conf

viola
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now