Re: SSL certificate update failed - httpd-2.4.6-90.el7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Martin,

Below is the attribute of the existing working certificate. The only difference is that the new certificate is of validity 2 years , but that should not be an issue.
We performed below steps while updating - 

1.openssl req -newkey rsa:2048 -nodes -keyout amnetgroup.com.key -out amnetgroup.com.csr -- Generated the csr
2. Send it to the concerned organization and got the updated PKCS#7 certificate.(in the form of .p7b file)
3. Extracted the certificate - openssl pkcs7 -inform der -print_certs -in Amnetgroup.p7b -out amnetgroupnew.com.crt
4. Updated the certificate content and the private key and the bundle file was updated too that came along with it.
5. Restarted the httpd service. And Alas!! website was throwing error that I mentioned earlier.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:1a:d3:af:3f:7d:ab:ea:7d:0a:b9:23:99:b1:bf:27
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018
        Validity
            Not Before: Jan 23 00:00:00 2019 GMT
            Not After : Jan 23 12:00:00 2020 GMT
        Subject: CN=*.amnetgroup.com

X509v3 Subject Alternative Name:
                DNS:*.amnetgroup.com, DNS:amnetgroup.com

Below is the attribute of the new certificate of which update is failing.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0a:8f:61:f5:6f:8c:8b:ce:95:c2:d5:c5:79:8d:2b:d9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018
        Validity
            Not Before: Jan  3 00:00:00 2020 GMT
            Not After : Mar  3 12:00:00 2022 GMT
        Subject: CN=*.amnetgroup.com

X509v3 Subject Alternative Name:
                DNS:*.amnetgroup.com, DNS:amnetgroup.com

Regards
Sachin Kumar


On Mon, Jan 6, 2020 at 6:34 PM Martin Drescher <drescher@xxxxxxxxx> wrote:
Hi Sachin,

as long as I am doing this, a non matching CN and/or v3 SubjectAlternativeNames never effected the HTTP server in a way, that it wpold stop working for me. Both messeges you quoted, ah02292 and ah01909 are warning messages. They *may* effect your client's behavior. Hence, if there is not a person in this list knowing better, this should not be of your concern.

What about that 502? This looks like your real issue to me.

However, I remember reading some stuff changed (or will change?) in regard of VirtualHost clause. But even this would not make sense, if your old certificate is still working. Next thing you could do is, look for changes int the certificate's attributes. May be there is a change, that should not be there.


Am 04.01.20 um 18:02 schrieb Sac Isilia:
> Hi Team,
>

[...]

> *502 - Web server received an invalid response while acting as a gateway or
> proxy server.*
>
> *There is a problem with the page you are looking for, and it cannot be
> displayed.*
>
> *When the Web server (while acting as a gateway or proxy) contacted the
> upstream content server, it received an invalid response from the content
> server.”*
>
>   In the error logs I have found below messages .
>
> ah02292: init: name-based ssl virtual hosts only work for clients with tls
> server name indication support
>
> ah01909: rsa certificate configured for xxxxxxxxxxx:443 does not include an
> id which matches the server name
>
>   Please help me in resolving this issue.
>
>
> Regards
>
> Sachin Kumar
>



 Martin

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux