LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-17-2008, 12:59 PM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 77
Expired Server Certificates


Every day I get an email from my web server that sits on my DMZ with the following:

################# SSL Certificate Warning ################

Certificate for hostname 'www.mydomain.org', in file:
/etc/httpd/conf/ssl.crt/www.mydomain.org.crt

The certificate needs to be renewed; this can be done
using the 'genkey' program.

Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.

##########################################################
Generated by certwatch(1)


Now when I go to www.mydomain.org and view my certificate this server is hosting, I can cleary see it expires in 2010. Anyone know how to force this "certwatch utility to read the correct file or how to fix this?

I provided and example of my cert below:

Example
 
Old 03-18-2008, 07:33 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
IIGC the 'certwatch' cronjob does a 'httpd -t -DDUMP_CERTS'. Executing that manually gives you what?
 
Old 03-18-2008, 10:05 AM   #3
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 77
OK - so I found certwatch to be located in two locations ... so far. I don't want this on my servers any longer and I did not install it so I assume it was the previous admin.

Now I moved "certwatch" from /etc/cron.daily/ where it was running and this takes care of me getting bogus emails every day however I would like to remove it properly and I see its in /usr/bin/ so my question is do I simply just rm /usr/bin/certwatch to remove this properly from my servers or is there another way?
 
Old 03-18-2008, 12:25 PM   #4
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
I would think that removing it from cron would be sufficient. It is part of the crypto-utils package in redhat systems. Or you could just remove the execute bit.

Code:
$ rpm -q --whatprovides /usr/bin/certwatch 
crypto-utils-2.1-4.2
BTW I have found it useful at times.

Last edited by frndrfoe; 03-18-2008 at 12:27 PM.
 
Old 03-19-2008, 06:18 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by Carlwill View Post
Now I moved "certwatch" from /etc/cron.daily/ where it was running
The docs tell you about a httpd.conf setting that keeps certwatch from polling for info. And I agree that if you use certs you'll want to check its validity. Nothing worse than finding out the cert has expired, having to wait for renewal to complete while finding business goes elsewhere because of a, for customers, incomprehensible and irrepairable failure.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Password expired. suman_jan27 Red Hat 4 11-29-2007 09:25 PM
Login expired tulipysc Linux - Software 9 04-25-2007 07:29 PM
User expired Chemeh Mandriva 2 12-16-2005 09:59 AM
password expired rbchhan Fedora 2 08-09-2004 10:39 AM
Generating server certificates and acting as own CA with OpenLDAP BedriddenTech Linux - Security 1 07-03-2004 04:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration