We saw this in \/opt\/IBM\/HTTPServer\/logs\/error.log yesterday: –<\/p>\n
[Mon Jan 23 14:23:25 2012] [notice] Using config file \/opt\/IBM\/HTTPServer\/conf\/httpd.conf
\n[Mon Jan 23 14:23:25 2012] [debug] mod_mpmstats.c(189): mpmstats daemon started (pid 4775)
\n[Mon Jan 23 14:23:25 2012] [notice] IBM_HTTP_Server\/7.0.0.17 (Unix) configured — resuming normal operations
\n[Mon Jan 23 14:23:25 2012] [info] Server built: Mar 7 2011 15:49:28
\n[Mon Jan 23 14:23:25 2012] [debug] worker.c(1859): AcceptMutex: sysvsem (default: sysvsem)
\n[Mon Jan 23 14:23:25 2012] [notice] Core file limit is 0; core dumps will be not be written for server crashes
\n[Mon Jan 23 14:23:28 2012] [error] server is within MinSpareThreads of MaxClients, consider raising the MaxClients setting
\n[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778180] [5576] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2974 -> 11.125.26.19:443] [14:23:55.000312000]
\n[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778230] [5394] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2976 -> 11.125.26.19:443] [14:23:55.000472317]<\/p>\n
This took me a while to crack, but I eventually realised (!) that the self-signed certificates that we use in our IHS servers ( this is a NON-production environment ) had expired.<\/p>\n
This was how I cracked it: –<\/p>\n
$ cd \/opt\/IBM\/HTTPServer\/bin<\/p>\n
# List the certificates in use<\/p>\n
$ .\/gsk7cmd -cert -list -db \/opt\/IBM\/HTTPServer\/ssl\/key.kdb -pw passw0rd<\/p>\n
Certificates in database \/opt\/IBM\/HTTPServer\/ssl\/key.kdb:
\n SelfSignedCert
\n Thawte Personal Basic CA
\n Thawte Personal Freemail CA
\n Thawte Personal Premium CA
\n Thawte Premium Server CA
\n Thawte Server CA
\n Verisign Class 1 Public Primary Certification Authority
\n Verisign Class 1 Public Primary Certification Authority – G2
\n Verisign Class 2 Public Primary Certification Authority
\n Verisign Class 2 Public Primary Certification Authority – G2
\n Verisign Class 3 Public Primary Certification Authority
\n Verisign Class 3 Public Primary Certification Authority – G2<\/p>\n
# Display the contents of the SelfSignedCert<\/p>\n
$ .\/gsk7cmd -cert -details -db \/opt\/IBM\/HTTPServer\/ssl\/key.kdb -pw passw0rd -label SelfSignedCert<\/p>\n
Label: SelfSignedCert
\nKey Size: 1024
\nVersion: X509 V3
\nSerial Number: 4D 39 7C B4
\nIssued by: CN=www.connections.foobar.com, O=FOOBAR, C=COM
\nSubject: CN=www.connections.foobar.com, O=FOOBAR, C=COM
\nValid: From: Thursday, 20 January 2011 12:31:48 o’clock GMT To: Saturday, 21 January 2012 12:31:48 o’clock GMT
\nFingerprint: F9:D3:44:F1:81:26:37:90:51:A0:A5:14:79:9D:B8:14:AA:6B:3F:16
\nSignature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
\nTrust Status: enabled<\/p>\n
# Delete the old, expired certificate<\/p>\n
$ .\/gsk7capicmd -cert -delete -db \/opt\/IBM\/HTTPServer\/ssl\/key.kdb -pw passw0rd -label SelfSignedCert<\/p>\n
# Create a new SelfSignedCert<\/p>\n
$ .\/gsk7capicmd -cert -create -db \/opt\/IBM\/HTTPServer\/ssl\/key.kdb -pw passw0rd -label SelfSignedCert -size 1024 -expire 365 -dn “CN=www.connections.foobar.com,O=FOOBAR,C=COM” -x509version 3<\/p>\n
# Set the new certificate to be the server’s default<\/p>\n
$ .\/gsk7capicmd -cert -setdefault -db \/opt\/IBM\/HTTPServer\/ssl\/key.kdb -pw passw0rd -label SelfSignedCert<\/p>\n","protected":false},"excerpt":{"rendered":"
We saw this in \/opt\/IBM\/HTTPServer\/logs\/error.log yesterday: –<\/p>\n
[Mon Jan 23 14:23:25 2012] [notice] Using config file \/opt\/IBM\/HTTPServer\/conf\/httpd.conf [Mon Jan 23 14:23:25 2012] [debug] mod_mpmstats.c(189): mpmstats daemon started (pid 4775) [Mon Jan 23 14:23:25 2012] [notice] IBM_HTTP_Server\/7.0.0.17 (Unix) configured — resuming normal operations [Mon Jan 23 14:23:25 2012] [info] Server built: Mar 7 2011 15:49:28 [Mon […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3365"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3365"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3365\/revisions"}],"predecessor-version":[{"id":3366,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3365\/revisions\/3366"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}