lighttpd + ssl: can't seem to update my server-side certificates

Kropotkin · 09-17-2009, 01:13 PM

Hi all,

I have a webserver running lighttpd. At one point, SSL was working fine, but the server-side certificates issued by CA-cert have expired, and I am having trouble updating them.

First, I created a new .csr key:

Code:

openssl req -nodes -new -keyout venus.key -out venus.csr

I pasted the contents of the .csr file in the input field at ca-cert.org. The output I pasted into <s>venus.csr</s> venus.cst.

To create the pem file, I ran:

Code:

cat venus.key venus.crt > venus.pem

Contents of /etc/ssl/certs is now:

Code:

-rw-r--r--  1 root  colin  1522 Sep 17 18:37 venus.crt
-rw-r--r--  1 root  wheel   651 Sep 17 18:34 venus.csr
-rw-r--r--  1 root  wheel   887 Sep 17 18:34 venus.key
-rw-r--r--  1 root  wheel  2409 Sep 17 18:54 venus.pem

I restart lighttpd.

However, when I try to acess my server via https, it keeps returning an error message:

Quote:

This Connection is Untrusted
Technical Details

myserver uses an invalid security certificate.

The certificate expired on 10/30/2008 10:56 PM.

(Error code: sec_error_expired_certificate)

For some reason, lighttpd is still reading an older certificate.

For the sake of completeness, here are the relevents snippets from lighttpd.conf:

Code:

$SERVER["socket"] == ":443" {
ssl.engine                  = "enable"
ssl.pemfile                 = "/etc/ssl/certs/venus.pem"
ssl.ca-file                 = "/etc/ssl/certs/venus.crt"
server.name                 = "myserver"
}

I seem to be missing a step somewhere. Anything ideas?

Thanks.

anomie · 09-17-2009, 02:09 PM

Quote:

Originally Posted by Kropotkin

First, I created a new .csr key:

Code:

openssl req -nodes -new -keyout venus.key -out venus.csr

I pasted the contents of the .csr file in the input field at ca-cert.org. The output I pasted into venus.csr.

Eh, is that a typo? You should have pasted the contents of the cert you were issued into venus.crt.

grepmasterd · 09-17-2009, 02:21 PM

what I would do:

from the client try (assuming 'venus' is your server name)

Code:

wget --no-check-certificate --save-headers https://venus/ -O tmp.html

check the header section of tmp.html to verify that lightthpd is the server offering the content.

to view the certificate that lighttpd is offering:

Code:

openssl s_client -showcerts -connect venus:443

compare the certificate here with your old and new certs (eg, venus.crt)

if you can verify that it is in fact the old cert, and that lighttpd is in fact the service offering the certificate, then yes, lighttpd is reading the cert from another location. if you're stumped about where that other cert is located then try running lighttpd in the foreground (not as daemon) with strace

Code:

sudo strace lighttpd <debug options> 2> lighttpd.strace

the ouptut of strace (lighttpd.strace) should show you what files are opened when lighttpd is started -- parse throught it to find the cert files it is reading.

Kropotkin · 09-17-2009, 07:00 PM

Quote:

Originally Posted by anomie

Eh, is that a typo? You should have pasted the contents of the cert you were issued into venus.crt.

sorry, it was a typo.

Kropotkin · 09-19-2009, 08:32 AM

Thanks everyone for the suggestions.

I solved the problem: for some reason, the way I was restarting lighttpd wasn't causing it to reload its settings. When I killed it to run it was strace, then restarted it, it read the new certificate correctly. At the moment, I can't alas duplicate what I had been going wrong.