[Fwd: The certificate for mydomain.com has expired]

Bob McClure Jr bob at bobcatos.com
Tue Oct 27 19:22:58 UTC 2009 

Hi Karl,

On Tue, Oct 27, 2009 at 12:32:00PM -0600, Karl Pearson wrote:
> I get this daily.
> 
> I don't use https on this particular little server, but I'd like to
> solve this anyway. I've run genkey and still the problem persists. One
> thing; during the genkey process it asks if I would like to authenticate
> the new key against one of several online servers. I choose 'no' at that
> point.

Two things:

- When you make a self-signed cert, be sure to specify an expiry more
  than 30 days hence, which is the default.  The warning comes from
  /etc/cron.daily/certwatch, which starts warning at 30 days to go.
  To make a year-long self-signed cert,

  genkey --days 365 mydomain.com

  If you already have an active key for that domain, genkey will carp
  and you will need to rename it out of the way, say, with a ".old"
  suffix.  In the dialogs, give it a null passphrase (just hit
  [Enter]), tell it you do not need a CSR, and no encryption at the
  end.

- After generating the new cert and key, run

  apachectl graceful

  to put it into effect.

Another hint: genkey is a Perl script in /usr/bin/genkey.  You may
want to modify the defaults in the script to what you will always
want.

Also, if you never have any use for SSL on that box, but still want
the web server running, rename /etc/httpd/conf.d/ssl.conf to something
like ssl.conf.off, and "apachectl graceful".  certwatch checks only
loaded certs in the server.  If you have none, it will remain quiet.

> TIA,
> 
> Karl
> 
> --------------------------- Original Message ---------------------------
> 
>  ################# SSL Certificate Warning ################
> 
>   Certificate for hostname 'mydomain.com', in file:
>      /etc/pki/tls/certs/server.crt
> 
>   The certificate needs to be renewed; this can be done
>   using the 'genkey' program.
> 
>   Browsers will not be able to correctly connect to this
>   web site using SSL until the certificate is renewed.
> 
>  ##########################################################
>                                   Generated by certwatch(1)
> 
> 
> And who is certwatch and why are they looking at this server? -- karl

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
bob at bobcatos.com             http://www.bobcatos.com
Finally, be strong in the Lord and in his mighty power.
Ephesians 6:10 (NIV)

More information about the Redhat-install-list mailing list