httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sac Isilia <udaypratap.sing...@gmail.com>
Subject Re: [users@httpd] SSL certificate update failed - httpd-2.4.6-90.el7
Date Mon, 06 Jan 2020 13:32:08 GMT
Hi Martin,

Below is the attribute of the existing working certificate. The only
difference is that the new certificate is of validity 2 years , but that
should not be an issue.
We performed below steps while updating -

1.openssl req -newkey rsa:2048 -nodes -keyout amnetgroup.com.key -out
amnetgroup.com.csr -- Generated the csr
2. Send it to the concerned organization and got the updated PKCS#7
certificate.(in the form of .p7b file)
3. Extracted the certificate - openssl pkcs7 -inform der -print_certs -in
Amnetgroup.p7b -out amnetgroupnew.com.crt
4. Updated the certificate content and the private key and the bundle file
was updated too that came along with it.
5. Restarted the httpd service. And Alas!! website was throwing error that
I mentioned earlier.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:1a:d3:af:3f:7d:ab:ea:7d:0a:b9:23:99:b1:bf:27
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA
CA 2018
        Validity
            Not Before: Jan 23 00:00:00 2019 GMT
            Not After : Jan 23 12:00:00 2020 GMT
        Subject: CN=*.amnetgroup.com

X509v3 Subject Alternative Name:
                DNS:*.amnetgroup.com, DNS:amnetgroup.com

Below is the attribute of the new certificate of which update is failing.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0a:8f:61:f5:6f:8c:8b:ce:95:c2:d5:c5:79:8d:2b:d9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA
CA 2018
        Validity
            Not Before: Jan  3 00:00:00 2020 GMT
            Not After : Mar  3 12:00:00 2022 GMT
        Subject: CN=*.amnetgroup.com

X509v3 Subject Alternative Name:
                DNS:*.amnetgroup.com, DNS:amnetgroup.com

Regards
Sachin Kumar


On Mon, Jan 6, 2020 at 6:34 PM Martin Drescher <drescher@inter.net> wrote:

> Hi Sachin,
>
> as long as I am doing this, a non matching CN and/or v3
> SubjectAlternativeNames never effected the HTTP server in a way, that it
> wpold stop working for me. Both messeges you quoted, ah02292 and ah01909
> are warning messages. They *may* effect your client's behavior. Hence, if
> there is not a person in this list knowing better, this should not be of
> your concern.
>
> What about that 502? This looks like your real issue to me.
>
> However, I remember reading some stuff changed (or will change?) in regard
> of VirtualHost clause. But even this would not make sense, if your old
> certificate is still working. Next thing you could do is, look for changes
> int the certificate's attributes. May be there is a change, that should not
> be there.
>
>
> Am 04.01.20 um 18:02 schrieb Sac Isilia:
> > Hi Team,
> >
>
> [...]
>
> > *502 - Web server received an invalid response while acting as a gateway
> or
> > proxy server.*
> >
> > *There is a problem with the page you are looking for, and it cannot be
> > displayed.*
> >
> > *When the Web server (while acting as a gateway or proxy) contacted the
> > upstream content server, it received an invalid response from the content
> > server.”*
> >
> >   In the error logs I have found below messages .
> >
> > ah02292: init: name-based ssl virtual hosts only work for clients with
> tls
> > server name indication support
> >
> > ah01909: rsa certificate configured for xxxxxxxxxxx:443 does not include
> an
> > id which matches the server name
> >
> >   Please help me in resolving this issue.
> >
> >
> > Regards
> >
> > Sachin Kumar
> >
>
>
>
>  Martin
>
>

Mime
View raw message