Join Log in
Score:-2
SS YY KK avatar Server

Cannot renew ssl certificates, notAfter never changes

cn flag
SS YY KK

Last two days I have been trying to fix ssl certificate problem in our servers.

We have two servers A and B, I was able to connect A to B but B changed ssl certificate. They shared this key and we imported that one but when I try to connect B I am getting

$  openssl s_client -CApath /etc/ssl/certs/ -connect B:443
verify error:num=10:certificate has expired
notAfter=Sep 17 12:00:00 2021 GMT

So this is still old. Then I try to understand if I couldn't import new .crt file, and if it is sill old one.

$ openssl x509 -in B.crt -noout -dates
   notBefore=Aug  4 00:00:00 2021 GMT
   notAfter=Aug  4 23:59:59 2022 GMT

No, as you see certificate is new and valid. So I tried to use it to test connection to B.

$ openssl s_client  -connect B:443 -CAfile B.crt

But it still returns

 verify error:num=10:certificate has expired
 notAfter=Sep 17 12:00:00 2021 GMT

What should I do now?

93
0 + 0
ssl
in flag
Gerald Schneider
Did you restart the service after replacing the certificate files?
2
Reply
SS YY KK avatar
cn flag
SS YY KK
Do you mean openssl ? I didn't restart anything, even I use -CAfile, there is two different result. When I check validity from .crt file, then it seems valid. But when I try to connect this valid crt file, it returns as it never use .crt file.
0
Reply
in flag
Gerald Schneider
After replacing a certificate file you need to restart or reload the services that use it, so they can load the new certificate.
1
Reply
Score:1
vidarlo avatar Server
ar flag
vidarlo 
$  openssl s_client -CApath /etc/ssl/certs/ -connect B:443
verify error:num=10:certificate has expired
notAfter=Sep 17 12:00:00 2021 GMT

So B sends an expired certificate. According to comments, they send a valid certificate when you use SNI to request the certificate for name B.

The solution is obviously to use SNI, as this is what B has tested and implemented.

0 + 0
SS YY KK avatar
cn flag
SS YY KK
But when I try the certificate that they send, such as openssl x509 -in B.crt -noout -dates I get right dates.
0
Reply
vidarlo avatar
ar flag
vidarlo
B is obviously not using that certificate as the dates doesn't match. When you connect to B, B sends a certificate that it uses to authenticate itself. What matters is the certificate B sends, not what you have stored locally.
0
Reply
SS YY KK avatar
cn flag
SS YY KK
I can see from browser that they are using this certificate, dates matches with browser.
0
Reply
vidarlo avatar
ar flag
vidarlo
So you're not running B? Contact whoever is running B.
0
Reply
SS YY KK avatar
cn flag
SS YY KK
Thanks, since they are able to connect with SNI such as openssl s_client -CApath /etc/ssl/certs/ -connect B:443 -servername B , they say problem is with our certificates. But when I check https://serverfault.com/questions/799345/openssl-returns-the-expired-certificate-while-browser-shows-the-correct-one post I think they need to alter some config files, what do you think?
0
Reply
vidarlo avatar
ar flag
vidarlo
Ok, so they obviously expect SNI. Have you *tried* with SNI? I can't quite get heads or tails of this question.
0
Reply
SS YY KK avatar
cn flag
SS YY KK
Hmm, yes I tried. I could get Verify return code: 0 (ok) with SNI $openssl s_client -connect B:443 -servername B. Thanks, I will inform B and let them know the problem is in their side.
0
Reply
vidarlo avatar
ar flag
vidarlo
The problem is not on their side. They obviously expect you to use SNI, and you don't.
0
Reply
SS YY KK avatar
cn flag
SS YY KK
They removed sni control while binding certificate. Now it is working, thanks.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.