Topic: [SOLVED] SEC_ERROR_REVOKED_CERTIFICATE

[jameswilson]

This morning people have been reporting they cant send email.

Thunderbird is reporting an unknown error
When connecting to server manager i get the SEC_ERROR_REVOKED_CERTIFICATE error and cannot connect I assume this is the issue.

Ive performed a reboot too

I assume i need to regenerate the certificate but i cant find the command to do this?

James

[Stefano]

well.. did you log in as root and check your logs?

are you using letsencrypt? any other paid SSL cert? standard/self signed one?

[jameswilson]

No just using the self signed cert

rm /home/e-smith/ssl.{crt,key,pem}/*
config delprop modSSL CommonName
config delprop modSSL crt
config delprop modSSL key
signal-event post-upgrade
signal-event reboot

I found the above in the manual but now apache wont start

Syntax error on line 133 of /etc/httpd/conf/httpd.conf:
SSLCertificateChainFile: file '/home/e-smith/ssl.crt/GlobalSign.crt' does not exist or is empty

[jameswilson]

Thinking about it this server used to have a commercial certificate for an ecom site i used to host on it. But this was moved onto paid hosting some 4 years ago.

[Stefano]

is GlobalSign your domain? I don't think so

crt file should look like FQDN.crt

are you sure you're not using any kind of customization?

[Stefano]

Thinking about it this server used to have a commercial certificate for an ecom site i used to host on it. But this was moved onto paid hosting some 4 years ago.

mid air collision

well,

Code: [Select]

config show modSSL

and

Code: [Select]

/sbin/e-smith/audittools/templates


[jameswilson]

no I think they provided the ssl cert. It was originally done on a sme 7 server years ago.

I have restored that crt file from a backup and apache is now working. But

config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.crt/GlobalSign.crt
    SSLCACertificateFile=/home/e-smith/ssl.crt/evcert11/gs-root.pem
    SSLCertificateChainFile=/home/e-smith/ssl.crt/evcert11/intermediate.pem
    SSLCertificateFile=/home/e-smith/ssl.crt/evcert11/smebox.securitywarehouse.crt
    SSSLCACertificateFile=/home/e-smith/ssl.crt/evcert11/gs-root.pem
    TCPPort=443
    access=public
    cafile=/home/e-smith/ssl.pem/smebox.securitywarehouse.co.uk.pem
    status=enabled
[root@smebox ssl.crt]#

[root@smebox ssl.crt]# /sbin/e-smith/audittools/templates
/etc/e-smith/templates-custom/etc/modules.conf/10i2c: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/95AddType00PHP2ibays: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/80zabbix: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/50DirectoryIndex00: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/93phpBB: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/85SogoAccess: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/php.ini/90EacceleratorSettings: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/php.ini/70DynamixExtension90Eaccelerator: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/hosts.allow/sshd: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/sysctl.conf/kernel.shm: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/clamd.conf/25OLE2BlockMacros: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/php5.ini/70DateTime: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/home/e-smith/ssl.crt: MANUALLY_ADDED, OVERRIDE

[Stefano]

so you're definitely using a 3rd part cert, not the self signed one..

I'd take a look at

Code: [Select]

/etc/e-smith/templates-custom/home/e-smith/ssl.crt: MANUALLY_ADDED, OVERRIDE

if you just want to use your self signed cert:

Code: [Select]

config delete modSSL
/etc/e-smith/events/actions/initialize-default-databases
signal-event post-upgrade
signal-event reboot
if you need a valid cert, take a look at letsencrypt

[jameswilson]

Brilliant Thanks

[DanB35]

if you need a valid cert, take a look at letsencrypt

Indeed.  https://wiki.contribs.org/Letsencrypt