Topic: certificate problem now no access to server-manager

[antdickens]

Hi

The self signed certificate on our server recently expired and did not automatically renew itself. I followed the instruction to set the certificate to 5 years expiry in the hope it would regenerate a new certificate.

##
rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot
##

It did not

And now unfortunately I cannot access the server-admin page either through browser(page cannot be found) or the text based on through putty. (connection refused)

I can access the command line and all other functions seem to be working other than when connecting for email I have to accept the warning that the self signed cert is out of date.

Any ideas how I can go about fixing the access to the server-manager and creating a new self signed certificate?



Thanks in advance


Anthony

[janet]

antdickens

The self signed certificate on our server recently expired and did not automatically renew itself.
Any ideas how I can go about fixing the access to the server-manager and creating a new self signed certificate?

Something is wrong
Firstly we need to investigate & gather answers

Show output of
ls -al /home/e-smith/ssl.crt/
ls -al /home/e-smith/ssl.key/
la -al /home/e-smith/ssl.pem/

Then do
rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*

Do not do post-upgrade & reboot yet

Then again show output of
ls -al /home/e-smith/ssl.crt/
ls -al /home/e-smith/ssl.key/
la -al /home/e-smith/ssl.pem/

Then do
signal-event post-upgrade
signal-event reboot

After server has rebooted
Show output of
ls -al /home/e-smith/ssl.crt/
ls -al /home/e-smith/ssl.key/
la -al /home/e-smith/ssl.pem/

We will also look at the custom template later, but for now do the above.

[janet]

antdickens

Also show output of
ls -al /etc/e-smith/templates-custom/home/e-smith/
&
cat /etc/e-smith/templates-custom/home/e-smith/ssl.crt

[antdickens]

Thank you for your reply, here is the requested output

Could it be the missing amount of days after the keylifeindays variable?

I did the restart but lost my text to copy if you see what I mean.




login as: root
root@192.168.10.10's password:
Last login: Tue Mar  4 13:52:08 2014 from 192.168.10.246
[root@hpserver ~]# ls -al /home/e-smith/ssl.crt/
total 8
drwx------  2 root  root  4096 Mar  4 13:54 .
drwxr-xr-x 10 admin admin 4096 Mar  4 13:55 ..
[root@hpserver ~]# ls -al /home/e-smith/ssl.key/
total 12
drwx------  2 root  root  4096 Mar  4 13:54 .
drwxr-xr-x 10 admin admin 4096 Mar  4 13:55 ..
-rw-r--r--  1 root  root  1676 Mar  4 13:54 hpserver.backuptraining.co.uk.key
[root@hpserver ~]# ls -al /home/e-smith/ssl.pem/
total 8
drwx------  2 root  root  4096 Mar  4 13:54 .
drwxr-xr-x 10 admin admin 4096 Mar  4 13:55 ..
[root@hpserver ~]# rm /home/e-smith/ssl.crt/*
rm: cannot lstat `/home/e-smith/ssl.crt/*': No such file or directory
[root@hpserver ~]# rm /home/e-smith/ssl.key/*
rm: remove regular file `/home/e-smith/ssl.key/hpserver.backuptraining.co.uk.key     '? y
[root@hpserver ~]# rm /home/e-smith/ssl.pem/*
rm: cannot lstat `/home/e-smith/ssl.pem/*': No such file or directory
[root@hpserver ~]# ls -al /home/e-smith/ssl.crt/
total 8
drwx------  2 root  root  4096 Mar  4 13:54 .
drwxr-xr-x 10 admin admin 4096 Mar  4 13:55 ..
[root@hpserver ~]# ls -al /home/e-smith/ssl.key/
total 8
drwx------  2 root  root  4096 Mar  4 13:58 .
drwxr-xr-x 10 admin admin 4096 Mar  4 13:55 ..
[root@hpserver ~]# ls -al /home/e-smith/ssl.pem/
total 8
drwx------  2 root  root  4096 Mar  4 13:54 .
drwxr-xr-x 10 admin admin 4096 Mar  4 13:55 ..
[root@hpserver ~]# ls -al /etc/e-smith/templates-custom/home/e-smith/
total 12
drwxr-xr-x 2 root root 4096 Feb 27 12:58 .
drwxr-xr-x 3 root root 4096 Feb 27 12:57 ..
-rw-r--r-- 1 root root 2970 Feb 27 12:59 ssl.crt
[root@hpserver ~]# cat /etc/e-smith/templates-custom/home/e-smith/ssl.crt
{
    use constant KEYLIFEINDAYS => ;
    use Date::Parse;
    use Cwd;
    my $here = getcwd;

    my $FQDN = "$SystemName.$DomainName";
    my $commonName = $modSSL{CommonName} || $FQDN;
    my $crt = "/home/e-smith/ssl.crt/$FQDN.crt";
    my $key = "/home/e-smith/ssl.key/$FQDN.key";
    my $defaultCity = $ldap{defaultCity};
    my $defaultCompany = $ldap{defaultCompany};
    my $defaultDepartment = $ldap{defaultDepartment};
    my $email = "admin\@$DomainName";

    # crop fields that are too long for X509:
    $defaultCity = substr($defaultCity, 0, 128);
    $defaultCompany = substr($defaultCompany, 0, 64);
    $defaultDepartment = substr($defaultDepartment, 0, 64);
    $email = substr($email, 0, 64);
    $commonName = substr($commonName, 0, 64);

    if ( -f $crt )
    {
        my $expire = `openssl x509 -enddate -noout -in $crt`;
        $expire =~ s/^notAfter=//;
        $expire = str2time($expire);
        my $ttl_days = ($expire - time()) / 60 / 60 / 24;

        if ( $ttl_days > 2 ) {
            my $expected_issuer = '/C=--' .
                              '/ST=----';
            $expected_issuer .= '/L=' . ($defaultCity ? $defaultCity : 'Newbury'     );
            $expected_issuer .= '/O=' . ($defaultCompany ? $defaultCompany : 'My      Company Ltd');
            $expected_issuer .= "/OU=$defaultDepartment" if $defaultDepartment;
            $expected_issuer .= "/CN=$commonName" .
                                  "/emailAddress=$email";
            my $issuer = `openssl x509 -issuer -noout -in $crt`;
            chomp $issuer;
            $issuer =~ s/^issuer= //;
            if ($issuer eq $expected_issuer)
            {
                # Old key file is still good. Read it out - processTemplate will      work
                # out that it hasn't changed, and leave the old one in place
                open(C, "$crt") or die "Couldn't open crt file: $!";
                my @crt = <C>;
                chomp @crt;
                $OUT = join "\n", @crt;
                close(C);
                return;
            }
        }
    }
    # go to somewhere private and safe where we can run programs
    # as root
    unless (-e "/tmp/ssl")
    {
        mkdir "/tmp/ssl", 0700;
    }
    chdir "/tmp/ssl" or die "Couldn't change to secure directory: $!";

    $SIG{ALRM} = sub { die "whoops, $program pipe broke" };

    unless (open(SSL,"-|"))
    {
        my $pid = open(RSACERT, "|-");
        if ($pid)
        {
            # parent

            foreach (
                    "--",
                    "----",
                    "$defaultCity",
                    "$defaultCompany",
                    "$defaultDepartment",
                    "$commonName",
                    "$email"
                    )
            {
                print RSACERT "$_\n";
            }
            close(RSACERT) || die "RSACERT kid exited $?";
            exit (0);
        }
        else
        {
            # child
            exec("/usr/bin/openssl",
                qw(req -new -key),
                $key,
                qw(-sha1 -x509 -days), KEYLIFEINDAYS,
                qw(-set_serial), time(),
                )
                    || die "can't exec program: $!";
            # NOTREACHED
        }
    }
    while (<SSL>)
    {
        $OUT .= $_;
    }
    close(SSL) or die "Closing openssl pipe reported: $!";
    chdir $here;
}
[root@hpserver ~]#

[antdickens]

** Problem Solved **

I put in a value for keylifeindex and re typed the commands and everything is back as it should be


Thanks very much