Updating an expired ssl certificate

Issue #367 resolved
Marconi Madruga created an issue

Hello all.

I just inherited the infrastructure setup of the lab where I am working and I am inexperienced with SSL auth so forgive me if I say something stupid.
Our scm manager's SSL certificate expired and I tried to create a new one and update it. After some struggling, I created a new keystore with a new private key, generated a matching csr, got a signed certificate from start ssl. However, when I restart the scm server and try to access it from the web browser it says it can't be trusted anymore and when I check the certificate it says it was issued by the own server, instead of the CA (Start ssl). I guess the server is not sending the correct newly signed certificate?

Any ideas on what am I doing wrong?

Thank you for your time!

Comments (10)

  1. Marconi Madruga reporter

    Hello, thanks for the answer.

    Yes, I did, inside my keystore.jks file (which is in scm-server\conf) now there are 4 entries, the private key, the signed certificate, the ca and the ca.sub certificates. It keeps showing me the wrong chain of authentication (does not show CA and sub, but my domain as the root).

  2. Sebastian Sdorra repo owner

    It is possible that you test your server with openssl s_client?

    openssl s_client -connect servername:443
    
  3. Marconi Madruga reporter

    Hi, it gives me:

    Loading 'screen' into random state - done
    CONNECTED(00000180)
    depth=0 O = .net, O = globallabproject, CN = scm.globallabproject.net
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 O = .net, O = globallabproject, CN = scm.globallabproject.net
    verify return:1


    Certificate chain
    0 s:/O=.net/O=globallabproject/CN=scm.globallabproject.net
    i:/O=.net/O=globallabproject/CN=scm.globallabproject.net


    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDOTCCAiGgAwIBAgIEQkKMZTANBgkqhkiG9w0BAQsFADBNMQ0wCwYDVQQKEwQu
    bmV0MRkwFwYDVQQKExBnbG9iYWxsYWJwcm9qZWN0MSEwHwYDVQQDExhzY20uZ2xv
    YmFsbGFicHJvamVjdC5uZXQwHhcNMTMwNDA5MTAyNjIxWhcNMTMwNzA4MTAyNjIx
    WjBNMQ0wCwYDVQQKEwQubmV0MRkwFwYDVQQKExBnbG9iYWxsYWJwcm9qZWN0MSEw
    HwYDVQQDExhzY20uZ2xvYmFsbGFicHJvamVjdC5uZXQwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQCwFg9Zg1GFz/DMYR95moIdeSgCgGEyiwAylxy7Ycnn
    jB3jW7IoBgTGOrS1HpgIkyVuwPAOSq84ws473jdHmeNO7cjUYEwfCaqpFz/NArL3
    NLxr3kklIJCCDYX3ud1E0+kiJCCGR/fOvQJkOJ2UkauioQQvR0iQmfor6AMjyA1J
    MySPJiTTv/Ozwz9+xH4Rheg2qXek2MN8YFjz+O0JejI8xIeXQuwk2y1U5QM/KMw+
    GShoIpX0eX+Zq7VnXuihXQKrI2KUiLiBlOEFNml6s1boBtxOP4ICw/qDAds5DhVM
    zXQ5O4HjwluhFT+4pyQOL3Wk9/SkCx4Tfk/ylX9KX+4hAgMBAAGjITAfMB0GA1Ud
    DgQWBBTmgXw6KIy7C1LiPQsggsrfSFF6dTANBgkqhkiG9w0BAQsFAAOCAQEAYBNO
    zj0yxB8xReJsK1KWT43Qle8ukLztv3TF8WuFbP+GVoM8YaPyGioXHEmiu/iEfkYi
    AlDu/FO/bd4vD3L7DsMyljHBbZ5UXBvpka0CeXe2cTAxFW/E+RJZxtX5xYc54v3N
    K1B7VAZHuDb//lFAxpbYOXcrubwSKKlg/V5+jh41mzBGl6ACZuD2qbEXuld6zIWT
    +kZVLYkDNnefABHVZuWsma/3eE6ctvGUElT+AkWmHg4CQfEbvLYIEabCil/+t8Ui
    cOjEvtf/BwuIm9vT+5wry5+kwvyDRl3m6RlfuGwRzl+DsPatLgRxY3txoIwhvobZ
    O7ZGxqIpgkbg4f2SBw==
    -----END CERTIFICATE-----
    subject=/O=.net/O=globallabproject/CN=scm.globallabproject.net
    issuer=/O=.net/O=globallabproject/CN=scm.globallabproject.net
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1401 bytes and written 535 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-DES-CBC3-SHA
    Session-ID: 516686BA10002C8E287DFD98FD0AE01337A51188B51104931EDCEA0A1A875428

    Session-ID-ctx:
    Master-Key: 5D7AA25ABE630CFC447E37B2B6CCFBB30076274B1AEAED22F3FCF14572DE4AF2
    

    64321F01543C282D41ACB3EF1BBFA177
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1365673658
    Timeout : 300 (sec)
    Verify return code: 18 (self signed certificate)


    closed

  4. Sebastian Sdorra repo owner

    The output shows only one certificate in the chain. Could you post the steps you did to create the keystore?

  5. Marconi Madruga reporter

    I followed https://forum.startcom.org/viewtopic.php?t=1390 to create a private key, generate a .csr and retrieve the signed certificate. Then I added each of those + the CA certificates to the keystore like the link says.

    Then I noticed that I was using the default keystore and that those need to be in the \scm-server\conf\keystore.jks instead. So I exported everything to another keystore and put it in the \conf\ folder. Then I noticed that since I followed the steps in the link, I changed the alias of the private key to "scm", to match (kind of) what is in https://bitbucket.org/sdorra/scm-manager/wiki/scm-server-ssl.

    I have the .pem (private key), .csr, .crt files... I wonder if I it helps to create a new keystore and reimport everything.

  6. Marconi Madruga reporter

    Woohoo! Thank you very much. It worked :) I didn't know I needed to join everything together in the same chain/file. It looks obvious now why the browser was not showing the whole chain.

  7. Log in to comment