Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have apache 2.2.3. It's been running for a couple of years on Scientific Linux, currently 5.5. Yesterday it stopped running. The error message says
Certificate not verified: 'Server-Cert'
SSL Library Error: -8181 Certificate has expired
Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
I followed that suggestion, and it started up OK. Now I want to figure out why it happened.
The obvious thing to check is the expiration date of the server certificate. It's a proper one purchased from comodo.com, and it has more than a year of life. I don't know where else to look.
When I started to dig into things I got very confused. Both mod_nss and mod_ssl are installed. They do almost the same thing. Could that cause problems? Why would it go bad suddenly when I haven't changed anything recently?
The obvious thing to check is the expiration date of the server certificate. It's a proper one purchased from comodo.com, and it has more than a year of life. I don't know where else to look.
Right. Have you triple checked that valid date?
Code:
# openssl x509 -text -in server.crt
Quote:
Originally Posted by bluethumb
When I started to dig into things I got very confused. Both mod_nss and mod_ssl are installed. They do almost the same thing. Could that cause problems? Why would it go bad suddenly when I haven't changed anything recently?
Are you using both modules for your TLS needs? (If so, please explain why that is.)
I checked the certificate again. It's good to September 2012. The cert information displayed by a https web page agrees.
Why both ssl and nss? Until yesterday I had never heard of nss. I think it's there because it was installed as part of the standard set of packages. I don't know what would break if I removed it. Also I don't know if it's causing a problem. As I said, I haven't messed with these things for months.
After thinking about it for a while, I was able to determine that the error messages were coming from mod_nss. It's the only thing that uses the string "Server-Cert". Some digging then showed that nothing seems to use mod_nss. Then I found the command "certutil -d /etc/httpd/alias -L -n Server-Cert", which showed that the dummy certificate used by mod_nss expired on May 24. That settled this issue for me, so I removed mod_nss.
If this is Red Hat 5 or a clone, the issue is that the mod_nss rpm creates the necessary certificates and they are set to expire at some point. To fix, remove and reinstall the mod_nss rpm.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.