via Namecheap I have my SSL certificates (POSITIVESSL Comodo) which run on my Nginx webserver to offer https to my clients. This worked like a charm until my certificate expired.
Now I tried to install a new certificate, but whatever I try, the old one is being loaded.
What I did.
Removed all the old certificate files (.key, .crt, .csr)
Using this tutorial creating a new key files.
Entered that file into the Namecheap SSL panel to generate new SSL certificates (which arrived, and show to be valid from 11/26/2012 to 12/26/2013.
Go to my certificates directory, put in the 3 .crt files I got.
Using this tutorial i bundled all the .crt files into 1 .pem file.
Check my nginx.conf to confirm all the paths to the .key & .pem file are correct
Restart nginx
I even tried to change the file names, to ensure they cannot conflict with the old ones, but still my old certificates are being loaded. I have used tools like: http://www.digicert.com/help/ to test the certs, also there the old ones are still being loaded.
Apart from Nginx, should I restart anything else to ensure the new files are being loaded correctly?
Issue has been resolved, the DDOS protection proxy also needed to be updated.
Related
Previously I used RapidSSL certificate. After it expired I moved to Lets Encrypt (free ssl) and installed on my server. But site uses still old SQL certificate after couple of refreshes taking new SSL certificate and resources (css, images, scripts) are not loading gives NET::ERR_CERT_DATE_INVALID error.
I restarted Apache couple of times.
I'm using Ubuntu 16.04.
NET::ERR_CERT_DATE_INVALID means your SSL certificate date is invalid, that is because your old certificate has expired. Check your apache config to make sure that - certificate files mentioned are the desired ones. For detail debugging of your problem, you need to look at your apache server log could be located at /var/log/apache2.
I have installed a new certificate on an existing webserver.
Ran "https://www.sslshopper.com/ssl-checker.html". says the certificate
is 700+ days old.
The domain is "www.infocon-inc.com"
Certificate is SHA2.
Created a free certificated made sure sha256.
using both the configure file and the command line -sha256.
running Apache 2.2+ with openssl 1+
Checked IP Address
checked the firewall https is open port.
restart Apache, everytime I updated the certificate.
Still get "ERR_CERT_AUTHORITY_INVALID" error in the browser.
Site has been up for years.
Any ideas as to where to look for the problem?
The problem was there was in ssl.conf referenced localhost.crt and localhost.key.
So I am trying to make my IIS8 webserver https, yet I can't seem to get it to work.
I have tried almost anything... but nothing seems to work.
DON'T WORRY THE FILES BELOW ARE FAKE!
PICTURE 1 KEY
PICTURE 2 PEM
First of all, what do I need to do with these 2? It says to save them as .key and .pem files, so I thought they mend: put the private key in a text file and save it as .key and same for the certificate and save it as .pem.
I tried to convert them to .pfx because that is what I need, right?
First I tried using openssl, but I saw a nice site, so I started using that instead: https://www.sslshopper.com/ssl-converter.html. That gave me an error at first, but then I saw cloudflare also had something called DER:
Which gave me an .CRT file if I downloaded it, so now I had a .PEM, a .KEY and an .CRT file, I went back to the website and used the .CRT file and the .KEY file, and put in a password!
Now I've gotten my .PFX file, which I wanted! I installed it on my windows server, but got this:
Why is it not verified?!
What files do I need to verify this?
Am I saving the files correct?
Within IIS you'll need to create a Certificate Signing Request (CSR) and export it.
In the Crypto app, scroll down to the Origin Certificates card and click 'Create Certificate'. Select 'I have my own private key and CSR', add the hostnames you'd like to be covered by the certificate. Once you've completed all the steps in the Wizard you can go back to IIS and click " Complete Certificate Request".
A step-by-step breakdown of these instructions is available on the Cloudflare Knowledge Base: Managing Cloudflare Origin CA certificates
Additionally, you'll need to install the Origin CA root certificates for CloudFlare on the server outline in Step 4 of the KB tutorial. This is fix the warning message:
Windows does not have enough information to verify this certificate.
There are two locations which these certificates may be installed: Current User or Local Machine.
To target the Current User open the certmgr.msc program, otherwise open certlm.msc
Expand 'Trusted Root Certification Authorities'
Right-click 'Certificates'
Select 'Import...' from the 'All Tasks' menu
Import both the ECC and RSA .pem files
My server runs Apache HTTPD 2.2.16 with OpenSSL 0.9.8e on Debian Squeeze runs Roundcube 0.95 on a vhost with an SSL cert. It works fine. The cert will expire on the 21st January. Debian Squeeze has not had updates for years.
I created, like usual a new cert from the same provider ( startSSL) and put replaced the old certs with the new .key and .crt (pem) like I have done every other year. The passphrase on the private .key has been removed.
When I restarted Apache, the SSL serving pages served blank pages.
I did not see errors in the error.log. I could see the access.log showing my browser hitting the site with a 200 response. But Roundcube was not there.
Replacing the .key and .crt with the old versions restored everything.
How else could I debug this?
When using web2py, it asks a single ssl certificate file.
But what I got from Comodo are two files, one .crt file and one .ca-bundle file.
I tried with using only provide the .crt file when setting up web2py, in the beginning it works. But when I go to my website another day, it shows "This certificate cannot be verified up to a trusted certification authority."
My suspicion is that this is related to the case of not using the .ca-bundle file. So anyone knows how to use both files in web2py settings?
Finally got it working!
It turns out to be the Web2py 'One step production deployment' script is not complete. It leaves out the 'SSLCertificateChainFile' option when it configures the Apache server.
So by adding this line:
SSLCertificateChainFile = path_to_your_ca-bundle_file
Below the line 'SSLCertificateKeyFile /etc/apache2/ssl/self_signed.key' will do the work.