By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

certificate problem

0

We have an App hosted on AWS (app.sailingplan.ca, dashboard.sailingplan.ca and api.sailingplan.ca).

We have renewed our Amazon certificates (3) but continue to get a certificate error (NET::ERR_CERT_DATE_INVALID). The certificate manager shows that the certificate is in good order. Still trying to figure out what to do to resolve this problem. Please advise.

Topics
Security, Identity, & Compliance
Tags
AWS Certificate ManagerAWS Private Certificate Authority
Language
English
Limnos
asked a year ago1256 views
1 Answer
0

The cert for api.sailingplan.ca appears to be valid (will expire in ten days):

$ openssl s_client -connect api.sailingplan.ca:443 -showcerts | head
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = app.sailingplan.ca
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = app.sailingplan.ca
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 22 00:00:00 2023 GMT; NotAfter: May 27 23:59:59 2023 GMT
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgIQD442H0Q1kTCXfelGgqr5rjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g

The other two domains have the same cert that expired more than a year ago:

$ openssl s_client -connect app.sailingplan.ca:443 -showcerts | head
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = dashboard.sailingplan.ca
verify error:num=10:certificate has expired
notAfter=Mar  6 23:59:59 2022 GMT
verify return:1
depth=0 CN = dashboard.sailingplan.ca
notAfter=Mar  6 23:59:59 2022 GMT
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = dashboard.sailingplan.ca
   i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb  5 00:00:00 2021 GMT; NotAfter: Mar  6 23:59:59 2022 GMT
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQAVsKtKan0lTuux3ZJ4v24DANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
$ openssl s_client -connect dashboard.sailingplan.ca:443 -showcerts | head
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = dashboard.sailingplan.ca
verify error:num=10:certificate has expired
notAfter=Mar  6 23:59:59 2022 GMT
verify return:1
depth=0 CN = dashboard.sailingplan.ca
notAfter=Mar  6 23:59:59 2022 GMT
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = dashboard.sailingplan.ca
   i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb  5 00:00:00 2021 GMT; NotAfter: Mar  6 23:59:59 2022 GMT
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQAVsKtKan0lTuux3ZJ4v24DANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg

Looking up the DNS record for api.sailingplan.ca it returns two IPs of EC2 instances in ca-central-1, whereas app & dashboard are CloudFront distributions. So it seems the cert needs to be updated in CloudFront https://www.youtube.com/watch?v=AY0iJyCOkOc

profile picture
EXPERT
Steve_M
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content