LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-17-2009, 01:13 PM   #1
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 348

Rep: Reputation: 31
lighttpd + ssl: can't seem to update my server-side certificates


Hi all,

I have a webserver running lighttpd. At one point, SSL was working fine, but the server-side certificates issued by CA-cert have expired, and I am having trouble updating them.

First, I created a new .csr key:
Code:
openssl req -nodes -new -keyout venus.key -out venus.csr
I pasted the contents of the .csr file in the input field at ca-cert.org. The output I pasted into <s>venus.csr</s> venus.cst.

To create the pem file, I ran:
Code:
cat venus.key venus.crt > venus.pem
Contents of /etc/ssl/certs is now:
Code:
-rw-r--r--  1 root  colin  1522 Sep 17 18:37 venus.crt
-rw-r--r--  1 root  wheel   651 Sep 17 18:34 venus.csr
-rw-r--r--  1 root  wheel   887 Sep 17 18:34 venus.key
-rw-r--r--  1 root  wheel  2409 Sep 17 18:54 venus.pem
I restart lighttpd.

However, when I try to acess my server via https, it keeps returning an error message:
Quote:
This Connection is Untrusted
Technical Details

myserver uses an invalid security certificate.

The certificate expired on 10/30/2008 10:56 PM.

(Error code: sec_error_expired_certificate)
For some reason, lighttpd is still reading an older certificate.

For the sake of completeness, here are the relevents snippets from lighttpd.conf:
Code:
$SERVER["socket"] == ":443" {
ssl.engine                  = "enable"
ssl.pemfile                 = "/etc/ssl/certs/venus.pem"
ssl.ca-file                 = "/etc/ssl/certs/venus.crt"
server.name                 = "myserver"
}
I seem to be missing a step somewhere. Anything ideas?

Thanks.

Last edited by Kropotkin; 09-17-2009 at 07:01 PM.
 
Old 09-17-2009, 02:09 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by Kropotkin
First, I created a new .csr key:
Code:
openssl req -nodes -new -keyout venus.key -out venus.csr
I pasted the contents of the .csr file in the input field at ca-cert.org. The output I pasted into venus.csr.
Eh, is that a typo? You should have pasted the contents of the cert you were issued into venus.crt.
 
Old 09-17-2009, 02:21 PM   #3
grepmasterd
Member
 
Registered: Aug 2003
Location: Seattle
Distribution: ubuntu, lately
Posts: 182
Blog Entries: 1

Rep: Reputation: 35
what I would do:

from the client try (assuming 'venus' is your server name)

Code:
wget --no-check-certificate --save-headers https://venus/ -O tmp.html
check the header section of tmp.html to verify that lightthpd is the server offering the content.

to view the certificate that lighttpd is offering:

Code:
openssl s_client -showcerts -connect venus:443
compare the certificate here with your old and new certs (eg, venus.crt)

if you can verify that it is in fact the old cert, and that lighttpd is in fact the service offering the certificate, then yes, lighttpd is reading the cert from another location. if you're stumped about where that other cert is located then try running lighttpd in the foreground (not as daemon) with strace

Code:
sudo strace lighttpd <debug options> 2> lighttpd.strace
the ouptut of strace (lighttpd.strace) should show you what files are opened when lighttpd is started -- parse throught it to find the cert files it is reading.
 
Old 09-17-2009, 07:00 PM   #4
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 348

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by anomie View Post
Eh, is that a typo? You should have pasted the contents of the cert you were issued into venus.crt.
sorry, it was a typo.
 
Old 09-19-2009, 08:32 AM   #5
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 348

Original Poster
Rep: Reputation: 31
Thanks everyone for the suggestions.

I solved the problem: for some reason, the way I was restarting lighttpd wasn't causing it to reload its settings. When I killed it to run it was strace, then restarted it, it read the new certificate correctly. At the moment, I can't alas duplicate what I had been going wrong.
 
  


Reply

Tags
certificate, lighttpd, ssl, webserver


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wanting to transfer SSL certificates from IIS 6.0 to proxy server that is using Apach steffmark Linux - Newbie 1 03-29-2008 04:56 AM
SSL Certificates ashiers Linux - Security 2 06-30-2006 09:39 AM
SSL certificates the-chains Linux - Software 0 11-15-2004 08:12 PM
ssl certificates champ Linux - Security 2 04-05-2003 10:47 AM
ssl certificates Syncrm Linux - General 7 02-26-2003 11:01 AM


All times are GMT -5. The time now is 03:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration