New ssl certs are not showing up in ec2 instance

0

One of our servers hosted in ec2 instances got expired yesterday. I have installed new certs but still old certs are showing up in browser.

We are using amazon linux image for apache server.

asked 9 months ago274 views
2 Answers
0

Did you restart the Apache server after switching certificates?

If you are rebooting, would you be willing to share in detail what steps you took to update the system?

profile picture
EXPERT
answered 9 months ago
  • Hello, first i got the file from ca and renamed and used them in ssl.conf. afterthat, I have run this command sudo apachectl configtest to check sytnax. then I have restarted the server. I follwed the same process for schooltour.ie with same certs because it is wild cert. and it worked.

  • Did you clear your browser cache after executing the following command?

    sudo systemctl restart httpd
    
  • Yes I did clear the browser cache

  • Are you sure that the certificate you obtained from the CA is properly renewed? In other words, I am concerned that I have not mistakenly set up something that has not been updated. Can I check the expiration date of my certificate by entering my domain at the following site? https://www.digicert.com/help/

0

You mention schooltour.ie as a site you have previously renewed, and that one looks fine when checked:

$ openssl s_client -connect schooltour.ie:443 -showcerts
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
verify return:1
depth=0 CN = *.schooltour.ie
verify return:1
---
Certificate chain
 0 s:CN = *.schooltour.ie
   i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 15 18:02:02 2023 GMT; NotAfter: Mar 18 17:02:40 2024 GMT

What is the site that you have trouble with? And if you put the new cert in place for that site and then run the above command (with the problem site instead of schooltour.ie) what does it give you?

You mention the checks you have run include:

i got the file from ca and renamed and used them in ssl.conf. afterthat, I have run this command sudo apachectl configtest to check sytnax.

apachectl configtest will just sanity-check the config files under /etc/httpd for syntax errors, it won't check the validity of the certificates. As you are using Apache then by default the cert location will be set in /etc/httpd/conf.d/ssl.conf, something like this:

$ sudo grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/[my_certificate].crt
SSLCertificateKeyFile /etc/pki/tls/private/[my_certificate].key

You will know better than me if your cert is in a different location, if it is then obviously use that instead.

Check the certificate is correct, look at the issuer and the dates (it should all be in the first 10 to 20 lines of output):

$ sudo openssl x509 -in /etc/pki/tls/certs/[my_certificate].crt -text

Check the private key is the correct key to match the certificate (the output of these commands should be the same):

$ sudo openssl x509 -noout -modulus -in /etc/pki/tls/certs/[my_certificate].crt | openssl md5
[ redacted ]
$ sudo openssl rsa -noout -modulus -in /etc/pki/tls/private/[my_certificate].key | openssl md5
[ redacted ]

After running all of this, is there anything that looks incorrect?

profile picture
EXPERT
Steve_M
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions