Thanks Samuel,
On 10/02/18 09:29, Samuel Sieb wrote:
On 02/05/2018 01:01 PM, Eyal Lebedinsky wrote:
As of a month ago I started getting warnings from certwatch saying
The certificate for Certificate Shack has expired
and
The certificate for Frank Alpha has expired
which have now expired a week ago.
I wanted to find out who these hosts are and should I care about the expired certs.
So far I found these two (and no others) mentioned in the file
-rw-r----- 1 root apache 65536 Jan 26 2014 /etc/httpd/alias/cert8.db
which is an old file which seems to be part of the mod_nss package.
Are these real certs? Test ones left there for no reason?
If they are not needed then what is the correct way to remove them, short of
removing the nss_mod module.
I expect they are sample certs, but I don't know why they are included. I don't see those on my server, but my database is much older.
To remove them, go to the /etc/httpd/alias directory. Run "certutil -L -d ." to make sure of the names.
$ sudo certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
alpha u,pu,u
'man certutil' seems to not list the meaning of the attributes flags.
I can guess C and T from the args to '-t' but 'u' is not listed. Maybe just 'untrusted'?
Then you can run "certutil -D -d . -n 'Frank Alpha'" for example to remove them from the database.
$ sudo certutil -D -d . -n 'Frank Alpha'
certutil: could not find certificate named "Frank Alpha": SEC_ERROR_BAD_DATABASE: security library: bad database.
$ sudo certutil -D -d . -n alpha
$ sudo certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
$ sudo certutil -D -d . -n cacert
$ sudo certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
I will keep an eye on any unusual messages.
--
Eyal at Home (fedora@xxxxxxxxxxxxxx)
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx