Restore your old config from backup? Get you back up and running?
On Wed, Nov 27, 2013 at 3:42 PM, Bill Thoen <[email protected]> wrote: > On 11/26/2013 04:33 PM, Russell Johnson wrote: > > On Nov 26, 2013, at 3:03 PM, Bill Thoen<[email protected]> wrote: > > > >> Yesterday and today I received this notice: > >> > >> ################# SSL Certificate Warning ################ > >> > >> Certificate for hostname 'server.gisnet.com', in file (or by > nickname): > >> /etc/pki/tls/certs/localhost.crt > >> > >> The certificate needs to be renewed; this can be done > >> using the 'genkey' program. > >> > >> Browsers will not be able to correctly connect to this > >> web site using SSL until the certificate is renewed. > >> > >> ########################################################## > >> Generated by certwatch(1) > >> > >> > >> I have no clue what to do about this, so I went to Google and asked the > planetary brain for guidance. I must not have asked the question carefully > enough, because I didn't get much of an answer. I did get a Googlet that > told me that this was from root on my server, and it's telling me replace > or renew the certificate on my server so that won't block people browsing > my site. > >> > >> Now I'm stuck. I've run out of knowledge. I have only a vague > understanding of certificates and I don't know which kind of cert I need > or which renew command to use. Could someone help me choose the right > option to use for genkey and give that notice what it wants to see? > > If this is a self-signed cert, you need to generate a new one. This can > be done with the original cert request, or a new one if you don't have the > old one. The steps are outlined here: > http://www.akadia.com/services/ssh_test_certificate.html > > > > If this is not a self-signed cert, then you will need to renew it with > the certificate authority that you received the cert from originally, or a > new authority. > > > > To display the cert details, which should tell you if it's self signed > or not, use the following cheat sheet, in the "Display certificate > information" section. > > > > http://wiki.samat.org/CheatSheet/OpenSSL > > > > (e.g. openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text) > > > > I'm not an expert by any stretch of the imagination. If there are errors > in my steps, others please feel free to correct me. > > > > Russell Johnson > > [email protected] > Well thanks for the help. I followed the steps up to step 5 in the > akadia.com URL, and everything seemed to work, but when I restarted > httpd, I saw that dreaded 6-letters in red, "FAILED" and no other news. > I stopped at step 5 because I don'thave any virtual hosts now, and I > didn't have SSLEngine software installed or enabled. A "file not found" > issue. > > I'm running CentOS 5.5 and everything is up to date as far as CentOS is > concerned. I had someone else who knows Linux way better than I set this > system up, and I just focused on applications and building up new > capabilities, and he took care of the fiddly bits below the surface. > But he is unavailable this week, so I'm on my own. I don't know what > sort of certificate I need but I guess its probably the self signed > kind. What ever it needs. I was hoping that the notice I posted would > tell you, but I guess it doesn't, so right now I've achieved in one day > what that noticed threatened to do 27 days from now. I've killed my > httpd process and it wont start. Does the following info reveal what's > wrong? I really would like to get web service running again. If anyone > can help, even just to the point the way, I'd appreciate it. > > The /var/log/httpd/error_log is now saying only this: > [Wed Nov 27 11:42:14 2013] [notice] SELinux policy enabled; httpd > running as context unconfined_u:system_r:httpd_t:s0 > [Wed Nov 27 11:42:14 2013] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > > > sestatus contains: > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: targeted > > The /etc/selinux config says: > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=permissive > # SELINUXTYPE= can take one of these two values: > # targeted - Targeted processes are protected, > # mls - Multi Level Security protection. > SELINUXTYPE=targeted > > And here's the certificate I created: > Certificate: > Data: > Version: 1 (0x0) > Serial Number: > f0:26:0b:14:24:4e:e3:de > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=Colorado, L=Boulder, O=GISnet, > CN=www.gisnet.com/[email protected] > Validity > Not Before: Nov 27 18:38:59 2013 GMT > Not After : Nov 27 18:38:59 2014 GMT > Subject: C=US, ST=Colorado, L=Boulder, O=GISnet, > CN=www.gisnet.com/[email protected] > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (1024 bit) > Modulus: > 00:c6:ef:ec:16:4a:07:3b:6f:ec:37:75:f8:17:9a: > 0a:7c:3f:4d:7f:43:2d:e2:89:71:a3:7d:8d:37:6c: > 79:ee:49:8f:0a:f1:19:06:a7:4a:9e:9b:39:5f:a2: > 6f:21:9d:d4:24:c4:12:6f:8d:1f:b9:1a:8b:17:1c: > 09:00:8c:cc:fc:69:d7:11:d2:18:a5:c5:29:20:d9: > a7:21:b9:cb:cd:2c:27:36:8f:22:0d:ba:ce:87:a8: > 1a:c3:f0:fa:0d:89:4c:c8:7f:05:a4:9d:19:04:fa: > 7f:c8:c2:b3:c3:a5:e3:31:e1:fc:76:bf:19:ee:49: > 41:61:6c:08:c8:5a:07:f7:25 > Exponent: 65537 (0x10001) > Signature Algorithm: sha1WithRSAEncryption > 2c:df:14:f7:f4:38:d2:5e:7a:54:34:cc:4f:e9:94:f7:61:18: > 8f:e7:67:3c:78:52:04:7f:2f:fb:b4:05:8c:56:c8:d8:67:a1: > 61:88:64:2a:a4:c3:61:21:37:7c:13:8a:e8:f4:74:06:93:30: > 67:1a:34:bb:d9:a9:fb:ff:91:b7:f2:25:04:17:4b:61:d5:84: > db:70:5a:f6:e9:dd:d8:bc:26:ba:ba:97:43:95:d1:3d:f1:2f: > 69:f9:71:9a:e5:d0:60:1c:34:d7:06:63:0f:a0:fb:80:10:e2: > 49:fb:3d:5c:44:25:ff:df:37:93:24:cd:3b:4e:7b:db:48:ca: > b2:14 > > The httpd failed just as soon as I updated the certification. > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
