- Newest
- Most votes
- Most comments
Did you restart the Apache server after switching certificates?
If you are rebooting, would you be willing to share in detail what steps you took to update the system?
You mention schooltour.ie as a site you have previously renewed, and that one looks fine when checked:
$ openssl s_client -connect schooltour.ie:443 -showcerts
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
verify return:1
depth=0 CN = *.schooltour.ie
verify return:1
---
Certificate chain
0 s:CN = *.schooltour.ie
i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 15 18:02:02 2023 GMT; NotAfter: Mar 18 17:02:40 2024 GMT
What is the site that you have trouble with? And if you put the new cert in place for that site and then run the above command (with the problem site instead of schooltour.ie) what does it give you?
You mention the checks you have run include:
i got the file from ca and renamed and used them in ssl.conf. afterthat, I have run this command sudo apachectl configtest to check sytnax.
apachectl configtest will just sanity-check the config files under /etc/httpd for syntax errors, it won't check the validity of the certificates. As you are using Apache then by default the cert location will be set in /etc/httpd/conf.d/ssl.conf, something like this:
$ sudo grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/[my_certificate].crt
SSLCertificateKeyFile /etc/pki/tls/private/[my_certificate].key
You will know better than me if your cert is in a different location, if it is then obviously use that instead.
Check the certificate is correct, look at the issuer and the dates (it should all be in the first 10 to 20 lines of output):
$ sudo openssl x509 -in /etc/pki/tls/certs/[my_certificate].crt -text
Check the private key is the correct key to match the certificate (the output of these commands should be the same):
$ sudo openssl x509 -noout -modulus -in /etc/pki/tls/certs/[my_certificate].crt | openssl md5
[ redacted ]
$ sudo openssl rsa -noout -modulus -in /etc/pki/tls/private/[my_certificate].key | openssl md5
[ redacted ]
After running all of this, is there anything that looks incorrect?
Relevant content
- asked 2 months ago
- asked 2 years ago
- asked 10 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 9 months ago
Hello, first i got the file from ca and renamed and used them in ssl.conf. afterthat, I have run this command sudo apachectl configtest to check sytnax. then I have restarted the server. I follwed the same process for schooltour.ie with same certs because it is wild cert. and it worked.
Did you clear your browser cache after executing the following command?
Yes I did clear the browser cache
Are you sure that the certificate you obtained from the CA is properly renewed? In other words, I am concerned that I have not mistakenly set up something that has not been updated. Can I check the expiration date of my certificate by entering my domain at the following site? https://www.digicert.com/help/