[Mon Jan 23 14:23:25 2012] [notice] Using config file /opt/IBM/HTTPServer/conf/httpd.conf
[Mon Jan 23 14:23:25 2012] [debug] mod_mpmstats.c(189): mpmstats daemon started (pid 4775)
[Mon Jan 23 14:23:25 2012] [notice] IBM_HTTP_Server/7.0.0.17 (Unix) configured -- resuming normal operations
[Mon Jan 23 14:23:25 2012] [info] Server built: Mar 7 2011 15:49:28
[Mon Jan 23 14:23:25 2012] [debug] worker.c(1859): AcceptMutex: sysvsem (default: sysvsem)
[Mon Jan 23 14:23:25 2012] [notice] Core file limit is 0; core dumps will be not be written for server crashes
[Mon Jan 23 14:23:28 2012] [error] server is within MinSpareThreads of MaxClients, consider raising the MaxClients setting
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778180] [5576] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2974 -> 11.125.26.19:443] [14:23:55.000312000]
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778230] [5394] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2976 -> 11.125.26.19:443] [14:23:55.000472317]
[Mon Jan 23 14:23:25 2012] [debug] mod_mpmstats.c(189): mpmstats daemon started (pid 4775)
[Mon Jan 23 14:23:25 2012] [notice] IBM_HTTP_Server/7.0.0.17 (Unix) configured -- resuming normal operations
[Mon Jan 23 14:23:25 2012] [info] Server built: Mar 7 2011 15:49:28
[Mon Jan 23 14:23:25 2012] [debug] worker.c(1859): AcceptMutex: sysvsem (default: sysvsem)
[Mon Jan 23 14:23:25 2012] [notice] Core file limit is 0; core dumps will be not be written for server crashes
[Mon Jan 23 14:23:28 2012] [error] server is within MinSpareThreads of MaxClients, consider raising the MaxClients setting
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778180] [5576] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2974 -> 11.125.26.19:443] [14:23:55.000312000]
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778230] [5394] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2976 -> 11.125.26.19:443] [14:23:55.000472317]
This took me a while to crack, but I eventually realised (!) that the self-signed certificates that we use in our IHS servers ( this is a NON-production environment ) had expired.
This was how I cracked it: -
$ cd /opt/IBM/HTTPServer/bin
# List the certificates in use
$ ./gsk7cmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd
Certificates in database /opt/IBM/HTTPServer/ssl/key.kdb:
SelfSignedCert
Thawte Personal Basic CA
Thawte Personal Freemail CA
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Verisign Class 1 Public Primary Certification Authority
Verisign Class 1 Public Primary Certification Authority - G2
Verisign Class 2 Public Primary Certification Authority
Verisign Class 2 Public Primary Certification Authority - G2
Verisign Class 3 Public Primary Certification Authority
Verisign Class 3 Public Primary Certification Authority - G2
SelfSignedCert
Thawte Personal Basic CA
Thawte Personal Freemail CA
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Verisign Class 1 Public Primary Certification Authority
Verisign Class 1 Public Primary Certification Authority - G2
Verisign Class 2 Public Primary Certification Authority
Verisign Class 2 Public Primary Certification Authority - G2
Verisign Class 3 Public Primary Certification Authority
Verisign Class 3 Public Primary Certification Authority - G2
# Display the contents of the SelfSignedCert
$ ./gsk7cmd -cert -details -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert
Label: SelfSignedCert
Key Size: 1024
Version: X509 V3
Serial Number: 4D 39 7C B4
Issued by: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Subject: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Valid: From: Thursday, 20 January 2011 12:31:48 o'clock GMT To: Saturday, 21 January 2012 12:31:48 o'clock GMT
Fingerprint: F9:D3:44:F1:81:26:37:90:51:A0:A5:14:79:9D:B8:14:AA:6B:3F:16
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled
Key Size: 1024
Version: X509 V3
Serial Number: 4D 39 7C B4
Issued by: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Subject: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Valid: From: Thursday, 20 January 2011 12:31:48 o'clock GMT To: Saturday, 21 January 2012 12:31:48 o'clock GMT
Fingerprint: F9:D3:44:F1:81:26:37:90:51:A0:A5:14:79:9D:B8:14:AA:6B:3F:16
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled
# Delete the old, expired certificate
$ ./gsk7capicmd -cert -delete -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert
# Create a new SelfSignedCert
$ ./gsk7capicmd -cert -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert -size 1024 -expire 365 -dn "CN=www.connections.foobar.com,O=FOOBAR,C=COM" -x509version 3
# Set the new certificate to be the server's default
$ ./gsk7capicmd -cert -setdefault -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert
5 comments:
Much appreciated for the tips. I was wondering if there is any way of using the same SSL certification on multiple servers? I am not too fond of the idea of having to purchase yet another one for my other website, thanks in advance!
ssl certificates
@James - not too sure; you'd need to check with the Certificate Authority from whence you obtain your certificates. I'm guessing that they can provide one certificate per fully-qualified hostname e.g. website name, but they may have options for microsites etc. regards, Dave
Thanks! It helped a lot.
Thank you thank you thank you!
@Mo, no problems, glad to be of assistance, cheers, Dave
Post a Comment