New ssl certs are not showing up in ec2 instance

0

One of our servers hosted in ec2 instances got expired yesterday. I have installed new certs but still old certs are showing up in browser.

We are using amazon linux image for apache server.

질문됨 10달 전303회 조회
2개 답변
0

Did you restart the Apache server after switching certificates?

If you are rebooting, would you be willing to share in detail what steps you took to update the system?

profile picture
전문가
답변함 10달 전
  • Hello, first i got the file from ca and renamed and used them in ssl.conf. afterthat, I have run this command sudo apachectl configtest to check sytnax. then I have restarted the server. I follwed the same process for schooltour.ie with same certs because it is wild cert. and it worked.

  • Did you clear your browser cache after executing the following command?

    sudo systemctl restart httpd
    
  • Yes I did clear the browser cache

  • Are you sure that the certificate you obtained from the CA is properly renewed? In other words, I am concerned that I have not mistakenly set up something that has not been updated. Can I check the expiration date of my certificate by entering my domain at the following site? https://www.digicert.com/help/

0

You mention schooltour.ie as a site you have previously renewed, and that one looks fine when checked:

$ openssl s_client -connect schooltour.ie:443 -showcerts
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
verify return:1
depth=0 CN = *.schooltour.ie
verify return:1
---
Certificate chain
 0 s:CN = *.schooltour.ie
   i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 15 18:02:02 2023 GMT; NotAfter: Mar 18 17:02:40 2024 GMT

What is the site that you have trouble with? And if you put the new cert in place for that site and then run the above command (with the problem site instead of schooltour.ie) what does it give you?

You mention the checks you have run include:

i got the file from ca and renamed and used them in ssl.conf. afterthat, I have run this command sudo apachectl configtest to check sytnax.

apachectl configtest will just sanity-check the config files under /etc/httpd for syntax errors, it won't check the validity of the certificates. As you are using Apache then by default the cert location will be set in /etc/httpd/conf.d/ssl.conf, something like this:

$ sudo grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/[my_certificate].crt
SSLCertificateKeyFile /etc/pki/tls/private/[my_certificate].key

You will know better than me if your cert is in a different location, if it is then obviously use that instead.

Check the certificate is correct, look at the issuer and the dates (it should all be in the first 10 to 20 lines of output):

$ sudo openssl x509 -in /etc/pki/tls/certs/[my_certificate].crt -text

Check the private key is the correct key to match the certificate (the output of these commands should be the same):

$ sudo openssl x509 -noout -modulus -in /etc/pki/tls/certs/[my_certificate].crt | openssl md5
[ redacted ]
$ sudo openssl rsa -noout -modulus -in /etc/pki/tls/private/[my_certificate].key | openssl md5
[ redacted ]

After running all of this, is there anything that looks incorrect?

profile picture
전문가
Steve_M
답변함 10달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠