I have 2 AWS CentOS machines behind a load balancer. They are both spun up from the same AMI image and they both have the same contents in the /etc/pki
directories. They have the same Apache config files yet when I run this command
openssl s_client -connect app.eventstag.com:443 -showcerts < /dev/null
on one server I get this response saying the certificate has expired
[ec2-user@ip-10-0-1-229 ~]$ openssl s_client -connect app.eventstag.com:443 -showcerts < /dev/null
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-175-109, emailAddress = root@ip-10-35-175-109
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-175-109, emailAddress = root@ip-10-35-175-109
verify error:num=10:certificate has expired
notAfter=Oct 2 15:00:28 2014 GMT
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-175-109, emailAddress = root@ip-10-35-175-109
notAfter=Oct 2 15:00:28 2014 GMT
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
-----BEGIN CERTIFICATE-----
MIIDKzCCAp ... etc ... FnTU0pdDnlA9o9U=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-175-109/emailAddress=root@ip-10-35-175-109
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1378 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 4E... etc ... 9FC
Session-ID-ctx:
Master-Key: B463... etc ... EE28
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 64 d6 ae 1a e2 bb d4 98-67 c0 96 a9 7b 00 85 a7 d.......g...{...
... etc ...
00b0 - 20 b4 ce b8 2e b3 a3 60-87 c1 f2 52 3d 8a ee 9b ......`...R=...
Start Time: 1523527409
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
DONE
And on the 2nd server with exactly the same command I get this result which says the certificate is ok
[ec2-user@ip-10-0-1-213 ~]$ openssl s_client -connect app.eventstag.com:443 -showcerts < /dev/null
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.eventstag.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.eventstag.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIF ... etc ... xIg=
-----END CERTIFICATE-----
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIE ... etc ... 8BDAB
-----END CERTIFICATE-----
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIE ... etc ... jDCm
rw==
-----END CERTIFICATE-----
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIE ... etc ... /bvZ8=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=*.eventstag.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5267 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: B8 ... etc ... 1CB
Session-ID-ctx:
Master-Key: B4 ... etc ... 5F0D
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1523535812
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
The certificate when viewed in a browser is also fine. It looks like the 1st server is trying to use a self-signed certificate created a long time ago but I don't know where or why it is using it or how to change it?
Kuyavela ukuba inginginya yam yenginginya kwenye yeeseva ibizikhomba, ngelixa enye iseva ibinayo. Oku kuthetha ukuba iserver ebesisebenza ibikhomba kwisatifikethi kwi-balancer yomthwalo, ngelixa enye iseva ibisiya ngqo kwi-localhost apho isatifikethi besingacwangciswanga khona ngokuchanekileyo.
См. /etc/httpd/conf.d/ssl.conf
и
для app.eventstag.com
для конфигурации SSL. директивы. В AWS это по умолчанию должно указывать на / etc / pki
:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Однако, если это было изменено, сертификат и ключ могут храниться где-то еще, что делает содержимое / etc / pki
не имеет значения.
Если вы не уверены, где это настроено, позвольте выводам команды sudo apachectl -S
помочь вам: вы можете увидеть файл и строку, в которой начинается соответствующая конфигурация, например
*:443 is a NameVirtualHost
default server example.com (/etc/path/to/file.conf:line)
port 443 namevhost app.example.com (/etc/path/to/file.conf:line)