LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache quits. Certificate expired? No! (http://www.linuxquestions.org/questions/linux-server-73/apache-quits-certificate-expired-no-882877/)

bluethumb 05-26-2011 12:39 PM
Apache quits. Certificate expired? No!
 
I have apache 2.2.3. It's been running for a couple of years on Scientific Linux, currently 5.5. Yesterday it stopped running. The error message says
Certificate not verified: 'Server-Cert'
SSL Library Error: -8181 Certificate has expired
Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

I followed that suggestion, and it started up OK. Now I want to figure out why it happened.

The obvious thing to check is the expiration date of the server certificate. It's a proper one purchased from comodo.com, and it has more than a year of life. I don't know where else to look.

When I started to dig into things I got very confused. Both mod_nss and mod_ssl are installed. They do almost the same thing. Could that cause problems? Why would it go bad suddenly when I haven't changed anything recently?

anomie 05-26-2011 01:55 PM
Quote:
Originally Posted by bluethumb
The obvious thing to check is the expiration date of the server certificate. It's a proper one purchased from comodo.com, and it has more than a year of life. I don't know where else to look.
Right. Have you triple checked that valid date?

Code:
# openssl x509 -text -in server.crt

Quote:
Originally Posted by bluethumb
When I started to dig into things I got very confused. Both mod_nss and mod_ssl are installed. They do almost the same thing. Could that cause problems? Why would it go bad suddenly when I haven't changed anything recently?
Are you using both modules for your TLS needs? (If so, please explain why that is.)

bluethumb 05-26-2011 03:19 PM
I checked the certificate again. It's good to September 2012. The cert information displayed by a https web page agrees.

Why both ssl and nss? Until yesterday I had never heard of nss. I think it's there because it was installed as part of the standard set of packages. I don't know what would break if I removed it. Also I don't know if it's causing a problem. As I said, I haven't messed with these things for months.

bluethumb 05-30-2011 01:09 PM
After thinking about it for a while, I was able to determine that the error messages were coming from mod_nss. It's the only thing that uses the string "Server-Cert". Some digging then showed that nothing seems to use mod_nss. Then I found the command "certutil -d /etc/httpd/alias -L -n Server-Cert", which showed that the dummy certificate used by mod_nss expired on May 24. That settled this issue for me, so I removed mod_nss.

cumthsc 12-20-2011 09:54 PM
If this is Red Hat 5 or a clone, the issue is that the mod_nss rpm creates the necessary certificates and they are set to expire at some point. To fix, remove and reinstall the mod_nss rpm.

SarahGurung 05-21-2012 04:31 AM
ya it's centos...but is it not ok even if the nss is not there?or do i needto install it again?


All times are GMT -5. The time now is 12:14 PM.