On 11/26/2013 04:33 PM, Russell Johnson wrote:
> On Nov 26, 2013, at 3:03 PM, Bill Thoen<[email protected]> wrote:
>
>> Yesterday and today I received this notice:
>>
>> ################# SSL Certificate Warning ################
>>
>> Certificate for hostname 'server.gisnet.com', in file (or by nickname):
>> /etc/pki/tls/certs/localhost.crt
>>
>> The certificate needs to be renewed; this can be done
>> using the 'genkey' program.
>>
>> Browsers will not be able to correctly connect to this
>> web site using SSL until the certificate is renewed.
>>
>> ##########################################################
>> Generated by certwatch(1)
>>
>>
>> I have no clue what to do about this, so I went to Google and asked the
>> planetary brain for guidance. I must not have asked the question carefully
>> enough, because I didn't get much of an answer. I did get a Googlet that
>> told me that this was from root on my server, and it's telling me replace or
>> renew the certificate on my server so that won't block people browsing my
>> site.
>>
>> Now I'm stuck. I've run out of knowledge. I have only a vague understanding
>> of certificates and I don't know which kind of cert I need or which renew
>> command to use. Could someone help me choose the right option to use for
>> genkey and give that notice what it wants to see?
> If this is a self-signed cert, you need to generate a new one. This can be
> done with the original cert request, or a new one if you don't have the old
> one. The steps are outlined
> here:http://www.akadia.com/services/ssh_test_certificate.html
>
> If this is not a self-signed cert, then you will need to renew it with the
> certificate authority that you received the cert from originally, or a new
> authority.
>
> To display the cert details, which should tell you if it's self signed or
> not, use the following cheat sheet, in the "Display certificate information"
> section.
>
> http://wiki.samat.org/CheatSheet/OpenSSL
>
> (e.g. openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text)
>
> I'm not an expert by any stretch of the imagination. If there are errors in
> my steps, others please feel free to correct me.
>
> Russell Johnson
> [email protected]
Well thanks for the help. I followed the steps up to step 5 in the
akadia.com URL, and everything seemed to work, but when I restarted
httpd, I saw that dreaded 6-letters in red, "FAILED" and no other news.
I stopped at step 5 because I don'thave any virtual hosts now, and I
didn't have SSLEngine software installed or enabled. A "file not found"
issue.
I'm running CentOS 5.5 and everything is up to date as far as CentOS is
concerned. I had someone else who knows Linux way better than I set this
system up, and I just focused on applications and building up new
capabilities, and he took care of the fiddly bits below the surface.
But he is unavailable this week, so I'm on my own. I don't know what
sort of certificate I need but I guess its probably the self signed
kind. What ever it needs. I was hoping that the notice I posted would
tell you, but I guess it doesn't, so right now I've achieved in one day
what that noticed threatened to do 27 days from now. I've killed my
httpd process and it wont start. Does the following info reveal what's
wrong? I really would like to get web service running again. If anyone
can help, even just to the point the way, I'd appreciate it.
The /var/log/httpd/error_log is now saying only this:
[Wed Nov 27 11:42:14 2013] [notice] SELinux policy enabled; httpd
running as context unconfined_u:system_r:httpd_t:s0
[Wed Nov 27 11:42:14 2013] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
sestatus contains:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
The /etc/selinux config says:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
And here's the certificate I created:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
f0:26:0b:14:24:4e:e3:de
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Colorado, L=Boulder, O=GISnet,
CN=www.gisnet.com/[email protected]
Validity
Not Before: Nov 27 18:38:59 2013 GMT
Not After : Nov 27 18:38:59 2014 GMT
Subject: C=US, ST=Colorado, L=Boulder, O=GISnet,
CN=www.gisnet.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c6:ef:ec:16:4a:07:3b:6f:ec:37:75:f8:17:9a:
0a:7c:3f:4d:7f:43:2d:e2:89:71:a3:7d:8d:37:6c:
79:ee:49:8f:0a:f1:19:06:a7:4a:9e:9b:39:5f:a2:
6f:21:9d:d4:24:c4:12:6f:8d:1f:b9:1a:8b:17:1c:
09:00:8c:cc:fc:69:d7:11:d2:18:a5:c5:29:20:d9:
a7:21:b9:cb:cd:2c:27:36:8f:22:0d:ba:ce:87:a8:
1a:c3:f0:fa:0d:89:4c:c8:7f:05:a4:9d:19:04:fa:
7f:c8:c2:b3:c3:a5:e3:31:e1:fc:76:bf:19:ee:49:
41:61:6c:08:c8:5a:07:f7:25
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
2c:df:14:f7:f4:38:d2:5e:7a:54:34:cc:4f:e9:94:f7:61:18:
8f:e7:67:3c:78:52:04:7f:2f:fb:b4:05:8c:56:c8:d8:67:a1:
61:88:64:2a:a4:c3:61:21:37:7c:13:8a:e8:f4:74:06:93:30:
67:1a:34:bb:d9:a9:fb:ff:91:b7:f2:25:04:17:4b:61:d5:84:
db:70:5a:f6:e9:dd:d8:bc:26:ba:ba:97:43:95:d1:3d:f1:2f:
69:f9:71:9a:e5:d0:60:1c:34:d7:06:63:0f:a0:fb:80:10:e2:
49:fb:3d:5c:44:25:ff:df:37:93:24:cd:3b:4e:7b:db:48:ca:
b2:14
The httpd failed just as soon as I updated the certification.
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
