Tuesday, 24 January 2012

IBM HTTP Server - SSL Certification Expiration Situation

We saw this in /opt/IBM/HTTPServer/logs/error.log yesterday: -

[Mon Jan 23 14:23:25 2012] [notice] Using config file /opt/IBM/HTTPServer/conf/httpd.conf 
[Mon Jan 23 14:23:25 2012] [debug] mod_mpmstats.c(189): mpmstats daemon started (pid 4775) 
[Mon Jan 23 14:23:25 2012] [notice] IBM_HTTP_Server/7.0.0.17 (Unix) configured -- resuming normal operations 
[Mon Jan 23 14:23:25 2012] [info] Server built: Mar  7 2011 15:49:28
[Mon Jan 23 14:23:25 2012] [debug] worker.c(1859): AcceptMutex: sysvsem (default: sysvsem) 
[Mon Jan 23 14:23:25 2012] [notice] Core file limit is 0; core dumps will be not be written for server crashes 
[Mon Jan 23 14:23:28 2012] [error] server is within MinSpareThreads of MaxClients, consider raising the MaxClients setting
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778180] [5576] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2974 -> 11.125.26.19:443] [14:23:55.000312000]
[Mon Jan 23 14:23:55 2012] [error] [client 10.150.190.217] [9778230] [5394] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.150.190.217:2976 -> 11.125.26.19:443] [14:23:55.000472317]

This took me a while to crack, but I eventually realised (!) that the self-signed certificates that we use in our IHS servers ( this is a NON-production environment ) had expired.

This was how I cracked it: -

cd /opt/IBM/HTTPServer/bin

# List the certificates in use

./gsk7cmd -cert -list -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd

Certificates in database /opt/IBM/HTTPServer/ssl/key.kdb:
   SelfSignedCert
   Thawte Personal Basic CA
   Thawte Personal Freemail CA
   Thawte Personal Premium CA
   Thawte Premium Server CA
   Thawte Server CA
   Verisign Class 1 Public Primary Certification Authority
   Verisign Class 1 Public Primary Certification Authority - G2
   Verisign Class 2 Public Primary Certification Authority
   Verisign Class 2 Public Primary Certification Authority - G2
   Verisign Class 3 Public Primary Certification Authority
   Verisign Class 3 Public Primary Certification Authority - G2


# Display the contents of the SelfSignedCert

./gsk7cmd -cert -details  -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert

Label: SelfSignedCert
Key Size: 1024
Version: X509 V3
Serial Number: 4D 39 7C B4
Issued by: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Subject: CN=www.connections.foobar.com, O=FOOBAR, C=COM
Valid: From: Thursday, 20 January 2011 12:31:48 o'clock GMT To: Saturday, 21 January 2012 12:31:48 o'clock GMT
Fingerprint: F9:D3:44:F1:81:26:37:90:51:A0:A5:14:79:9D:B8:14:AA:6B:3F:16
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled


# Delete the old, expired certificate

./gsk7capicmd -cert -delete -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert

# Create a new SelfSignedCert

./gsk7capicmd -cert -create -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert -size 1024 -expire 365 -dn "CN=www.connections.foobar.com,O=FOOBAR,C=COM" -x509version 3

# Set the new certificate to be the server's default

./gsk7capicmd -cert -setdefault -db /opt/IBM/HTTPServer/ssl/key.kdb -pw passw0rd -label SelfSignedCert

5 comments:

James Ingram said...

Much appreciated for the tips. I was wondering if there is any way of using the same SSL certification on multiple servers? I am not too fond of the idea of having to purchase yet another one for my other website, thanks in advance!


ssl certificates

Dave Hay said...

@James - not too sure; you'd need to check with the Certificate Authority from whence you obtain your certificates. I'm guessing that they can provide one certificate per fully-qualified hostname e.g. website name, but they may have options for microsites etc. regards, Dave

Karol Nunes said...

Thanks! It helped a lot.

Mo said...

Thank you thank you thank you!

Dave Hay said...

@Mo, no problems, glad to be of assistance, cheers, Dave

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...