November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

IBM HTTP Server – SSL Certification Expiration Situation

We saw this in /opt/IBM/HTTPServer/logs/error.log yesterday: –

[Mon Jan 23 14:23:25 2012] [notice] Using config file /opt/IBM/HTTPServer/conf/httpd.conf
[Mon Jan 23 14:23:25 2012] [debug] mod_mpmstats.c(189): mpmstats daemon started (pid 4775)
[Mon Jan 23 14:23:25 2012] [notice] IBM_HTTP_Server/7.0.0.17 (Unix) configured — resuming normal operations
[Mon Jan 23 14:23:25 2012] [info] Server built: Mar 7 2011 15:49:28
[Mon Jan 23 14:23:25 2012] [debug] worker.c(1859): AcceptMutex: sysvsem (default: sysvsem)
[Mon Jan 23 14:23:25 2012] [notice] Core file limit is 0; core dumps will be not be written for server crashes
[Mon Jan 23 14:23:28 2012] [error] server is within MinSpareThreads of MaxClients, consider raising the MaxClients setting
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778180] [5576] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2974 -> 11.125.26.19:443] [14:23:55.000312000]
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778230] [5394] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2976 -> 11.125.26.19:443] [14:23:55.000472317]

This took me a while to crack, but I eventually realised (!) that the self-signed certificates that we use in our IHS servers ( this is a NON-production environment ) had expired.

This was how I cracked it: –

$ cd /opt/IBM/HTTPServer/bin

# List the certificates in use

$ ./gsk7cmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd

Certificates in database /opt/IBM/HTTPServer/ssl/key.kdb:
SelfSignedCert
Thawte Personal Basic CA
Thawte Personal Freemail CA
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Verisign Class 1 Public Primary Certification Authority
Verisign Class 1 Public Primary Certification Authority – G2
Verisign Class 2 Public Primary Certification Authority
Verisign Class 2 Public Primary Certification Authority – G2
Verisign Class 3 Public Primary Certification Authority
Verisign Class 3 Public Primary Certification Authority – G2

# Display the contents of the SelfSignedCert

$ ./gsk7cmd -cert -details -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert

Label: SelfSignedCert
Key Size: 1024
Version: X509 V3
Serial Number: 4D 39 7C B4
Issued by: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Subject: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Valid: From: Thursday, 20 January 2011 12:31:48 o’clock GMT To: Saturday, 21 January 2012 12:31:48 o’clock GMT
Fingerprint: F9:D3:44:F1:81:26:37:90:51:A0:A5:14:79:9D:B8:14:AA:6B:3F:16
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled

# Delete the old, expired certificate

$ ./gsk7capicmd -cert -delete -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert

# Create a new SelfSignedCert

$ ./gsk7capicmd -cert -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert -size 1024 -expire 365 -dn “CN=www.connections.foobar.com,O=FOOBAR,C=COM” -x509version 3

# Set the new certificate to be the server’s default

$ ./gsk7capicmd -cert -setdefault -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>