LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   lighttpd + ssl: can't seem to update my server-side certificates (https://www.linuxquestions.org/questions/linux-security-4/lighttpd-ssl-cant-seem-to-update-my-server-side-certificates-755960/)

Kropotkin 09-17-2009 12:13 PM
lighttpd + ssl: can't seem to update my server-side certificates
 
Hi all,

I have a webserver running lighttpd. At one point, SSL was working fine, but the server-side certificates issued by CA-cert have expired, and I am having trouble updating them.

First, I created a new .csr key:
Code:
openssl req -nodes -new -keyout venus.key -out venus.csr
I pasted the contents of the .csr file in the input field at ca-cert.org. The output I pasted into <s>venus.csr</s> venus.cst.

To create the pem file, I ran:
Code:
cat venus.key venus.crt > venus.pem
Contents of /etc/ssl/certs is now:
Code:
-rw-r--r--  1 root  colin  1522 Sep 17 18:37 venus.crt
-rw-r--r--  1 root  wheel  651 Sep 17 18:34 venus.csr
-rw-r--r--  1 root  wheel  887 Sep 17 18:34 venus.key
-rw-r--r--  1 root  wheel  2409 Sep 17 18:54 venus.pem
I restart lighttpd.

However, when I try to acess my server via https, it keeps returning an error message:
Quote:
This Connection is Untrusted
Technical Details

myserver uses an invalid security certificate.

The certificate expired on 10/30/2008 10:56 PM.

(Error code: sec_error_expired_certificate)
For some reason, lighttpd is still reading an older certificate.

For the sake of completeness, here are the relevents snippets from lighttpd.conf:
Code:
$SERVER["socket"] == ":443" {
ssl.engine                  = "enable"
ssl.pemfile                = "/etc/ssl/certs/venus.pem"
ssl.ca-file                = "/etc/ssl/certs/venus.crt"
server.name                = "myserver"
}
I seem to be missing a step somewhere. Anything ideas?

Thanks.

anomie 09-17-2009 01:09 PM
Quote:
Originally Posted by Kropotkin
First, I created a new .csr key:
Code:
openssl req -nodes -new -keyout venus.key -out venus.csr
I pasted the contents of the .csr file in the input field at ca-cert.org. The output I pasted into venus.csr.
Eh, is that a typo? You should have pasted the contents of the cert you were issued into venus.crt.

grepmasterd 09-17-2009 01:21 PM
what I would do:

from the client try (assuming 'venus' is your server name)

Code:
wget --no-check-certificate --save-headers https://venus/ -O tmp.html
check the header section of tmp.html to verify that lightthpd is the server offering the content.

to view the certificate that lighttpd is offering:

Code:
openssl s_client -showcerts -connect venus:443
compare the certificate here with your old and new certs (eg, venus.crt)

if you can verify that it is in fact the old cert, and that lighttpd is in fact the service offering the certificate, then yes, lighttpd is reading the cert from another location. if you're stumped about where that other cert is located then try running lighttpd in the foreground (not as daemon) with strace

Code:
sudo strace lighttpd <debug options> 2> lighttpd.strace
the ouptut of strace (lighttpd.strace) should show you what files are opened when lighttpd is started -- parse throught it to find the cert files it is reading.

Kropotkin 09-17-2009 06:00 PM
Quote:
Originally Posted by anomie (Post 3687305)
Eh, is that a typo? You should have pasted the contents of the cert you were issued into venus.crt.
sorry, it was a typo.

Kropotkin 09-19-2009 07:32 AM
Thanks everyone for the suggestions.

I solved the problem: for some reason, the way I was restarting lighttpd wasn't causing it to reload its settings. When I killed it to run it was strace, then restarted it, it read the new certificate correctly. At the moment, I can't alas duplicate what I had been going wrong.


All times are GMT -5. The time now is 08:23 PM.