Hello everyone,
Recently I am trying to rotate a cert, and the client uses python requests lib, which leverages openssl. Here is my steps:
1.
Generate a new cert, and append it to the cert file(at this point,
there are 2 certs in the file, first is old cert, second is new, they
have the same Subject), restart client side process, (no problem here,
because first cert matching server side cert, and it verifies
successfully)
2. Replace server side with new cert.
As soon as I issue step #2, the client side process starts to show error “certificate verify failed”.
This would cause downtime to my apps. I am new to this, not sure if
there is anything wrong regarding my usage or understanding. But I found
this page https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html,
it says the exact behavior like my test:
If several CA certificates matching the name, key identifier, and serial number condition are available, only the first one will be examined. This may lead to unexpected results if the same CA certificate is available with different expiration dates. If a "certificate expired" verification error occurs, no other certificate will be searched. Make sure to not have expired certificates mixed with valid ones.
So I am wondering how to
rotate cert in such a case? It would be very helpful if anyone could
help on this. Thanks.
BTW, I tested the same cert file with CURL (compiled with gnutls), it works fine.
Regards
Dingping
