I updated the SSL cert on a customer server. The cert was about to expire.
The customer sent me the new cert in PEM format. I just replaced it on Apache and restarted it. The new expiration date is correct, but I got a little validation error:
Unable to get the local issuer of the certificate. The issuer of a locally looked up certificate could not be found. Normally this indicates that not all intermediate certificates are installed on the server.
The cert uses an intermediate cert. Maybe I need to update the intermediate cert too ? Using the old cert, this validation error don't occur.
All seems to be working perfect. Browsers don't show any error.
You need to update the intermediate cert too, if it is different, as it seems to be. You might also want to check that the CA (Certificating Authority) cert has not changed, or if it has, add the new one.
Related
I have a problem with updating SGD certificate on my local machine.
I am using a self-signed certificate, and can't get the certificate to change the valid from field (ends in 2022) although the new certificate in the .pem file is valid till 2024.
Certificate Information
I want to put a new cert here for SGD.
I have tried everything on the tarantella/sgd website and still no change.
I ran into issue with expired certificates on k8s cluster. I am running version 1.6.1 for over a year now, meaning that my certificates expired and I have to renew them.
In newer versions this is already done automatically, but I currently can not upgrade my cluster to higher version, so I have to create certificates manually.
I came across following link, where it is described step-by-step, but I am actually already stuck on creating openssl.cnf file, as I am missing parameters. At the same time, this option is using .pem key, while on cluster currently .crt and .key pairs are used.
Any suggestion how to move forward with this? I have also tried running kubeadm alpha phase certs selfsign command, which created new certificates, yet I am still running into issue that api-server is refusing TSL handshake.
http: TLS handshake error from IP:port: remote error: tls: bad certificate
Thank you and best regards,
Bostjan
There is a detailed guide on how to generate certificates.
While you are following that guide look out for a few gotchas:
Make sure your CA certificate is valid for the period you are trying to extend the other certificates to. The validity of any certificates signed by the CA certificate are also limited by the expiration date of the CA certificate.
If the validity period of the CA certificate itself is too short you are in a pickle. Replacing that certificate will require modifying all kubeconfigs (operators, cluster components).
For the same reason as above, make very sure you don't overwrite the CA key/certificate accidentaly.
When replacing the certificate for the apiserver you will need to restart the apiserver. The apiserver does not reread the certificate automatically.
I have obtained an SSL cert from Lets Encrypt and added it to my SSL endpoint on Heroku, but I'm a bit nervous about simply removing Expedited SSL. Is it safe?
No problem with doing that and switching to a new certificate from differente Certificate Authority (CA) such as LetsEncrypt. I always remove the references to the old certificates.
A practice I suggest is moving the old certificates to new ones by appending the .backup at the end
Based on the documentation this is a correct practice as long as DNS is pointed to the right endpoint.
I removed my old Comodo SSL certificate and it worked fine. Make sure you've updated your DNS Target at your domain registrar to point to the SSL endpoint you got when you added the Let's Encrypt cert. (Usually certified.domain.herokudns.com)
I have installed a ssl certificate via WHM on one of my domain. Site is working with https://xyz.com.
However it is not working with https://www.xyz.com. I have checked the certificate and it is for www version as well. After some research it appears to be incomplete chain issue. I had no idea how to resolve this. Please help.
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.
You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.
You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver
I'm trying to install a Comodo SSL certificate on a shared server, which has directadmin installed. I have assigned the user an unique ip address, made the CSR request and uploaded the certificate.
In directadmin I get the response that both the certificate and private key are saved. Unfortunately, when I browse to the https://www.domain.com I get a SSL error, saying that the certificate is untrusted, because it is self-signed.
I'm confused why this error occurs. It seems to me that I followed the correct steps to install the Comodo ssl certificate. I also tried deleting the private key and certificate through the command line on the server. But this does not seem to resolve the error.
What direction should I be looking into solving this issue?
Check if you installed the intermediate certificate. You have to list one or more intermediate certificates in the field for your public key.
You can also use the GlobalSign OneClickSSL plugin for DirectAdmin and let the plugin do everything for you automatically.
See: https://www.globalsign.com/ssl/oneclickssl/directadmin/
And: http://www.youtube.com/#/watch?v=tVP9i6Ing1M