How to Check if a SSL Certificate is successfully renewed

apache-2.2centos6ssl-certificate

I have two web servers, one for an intranet and the other for a website. The system specs of the two are almost the same, which is as follows:

CentOS 6.5
LAMP (Apache/2.2.15) + WordPress, which were installed with yum command

I am trying to renew their wildcard SSL certificate with a new one, which I recently got from GoDaddy. The zip file sent from GoDaddy includes the followings:

c************.crt
gd_bundle-g2-g1.crt
gd_intermediate.crt

The two servers share the same private key (test.key), which I am going to use for the new certificate too. So the 2 steps below is all I did on both servers.

(Step 1)
Copy the three files above to /etc/pki/tls/certs directory and edit the /etc/httpd/conf/httpd.conf so the keys "SSLCertificateFile" and "SSLCertificateChainFile" point to the new respective file. The file looks like below after editting.

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/c************.crt
        SSLCertificateKeyFile /etc/pki/tls/private/test.key
        SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle-g2-g1.crt
        <Directory /var/www/html>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/html
        ServerName *****.*********.com
</VirtualHost>

(Step 2)
Restart the server

After the steps, I accessed both servers with google chrome and checked to see if the expiration date had changed. The expiration date on the intranet has changed like I had expected.

(before)
Valid from 6/17/2014 to 6/17/2015
(after)
Valid from 5/18/2014 to 6/17/2016

But the date on the website is still the same. Is there any other way to check if the certificate is successfully renewed? Or is there anything wrong about the steps I followed? I did not get any errors when I went through the steps and I am thinking that there might be some more steps I need to do to get a wildcard certificate to work.

Best Answer

1) Remember - Apache uses either httpd.conf or ssl.conf depending on how Apache was configured - since ssl.conf is preferred make sure the "failing" server is NOT using ssl.conf instead.

2) Have you tried copying the httpd.conf file from the working server to the "failing" server. If everything else is the same, that should make SSL work, if it doesn't everything is NOT the same on the two servers - double check

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

Listen 10.0.0.152:443

<VirtualHost 10.0.0.152:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/login.domain.com/current
ServerName login.domain.com

ServerAlias www.login.domain.com login.domain.com


LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/login.domain.com-access_log
ErrorLog /var/log/www/login.domain.com-error_log

<DIRECTORY /web0/cloud/login.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

AddType application/x-httpd-php .html

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/login.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/login.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Listen 10.0.0.151:443

<VirtualHost 10.0.0.151:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/admin.domain.com/current
ServerName admin.domain.com

ServerAlias www.admin.domain.com admin.domain.com

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/admin.domain.com-access_log
ErrorLog /var/log/www/admin.domain.com-error_log

<DIRECTORY /web0/cloud/admin.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/admin.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/admin.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

Apache seems to be using old expired certificate even though new one is installed

Something's in front of Apache. Check out that config:

Listen 127.0.0.1:443
....
<VirtualHost 127.0.0.1:443>

It's listening on localhost only, so internet clients aren't hitting this service directly - they're likely getting proxied.

For the sanity check that Apache's loading the right cert, hit the service directly on Apache's listener: openssl s_client -connect 127.0.0.1:443 -showcerts

Not sure about the Andromeda header, so, let's find the process: lsof -i.

Apache will have 127.0.0.1:443, while some other service has 0.0.0.0:443 (or the VPS's public address :443) - that's the one that needs the new cert.

Best Answer

Related Solutions

Ssl – RHEL/Apache ssl.conf configuration issue

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Apache seems to be using old expired certificate even though new one is installed

Related Topic