SSL Cert Errors

Have you ever thought you fixed something, but later it turns out you didn’t. Well That happened with an ssl cert for a site I manage, and thankfully nothing bad has happened.
This did lead me to find 2 commands that I found super useful.
first
$ openssl req -noout -text -in example.csr | grep ‘Signature Algorithm’
second
$ openssl x509 -noout -text -in example.crt | grep ‘Signature Algorithm’
I used these to determine that I was not using sha256 on my certs.

The story today started with me wanting to migrate to lets encrypt. As i was testing in my staging server environment I was having update issues with trying to get the eff certbot working. I think this has more to do with running Ubuntu 11.10 than anything else. So i started to look to see what was up with my old certs and why it was telling me bad signing.
Then more fun happened.
I loaded the 256 certs I had thought I previously loaded and the server would not come up. CRAP! I rebooted then rolled back the changes, and the server came back up. This is when I knew I would need to have my certs reissued. So I regenerated my key and csr and went about the reissue process.

This will not be the end of this story, as the rewrite I am working on is for this server. I will move to letsencrypt when we push the new base to production, but for not I am using what I have.

This entry was posted in Uncategorized. Bookmark the permalink. Both comments and trackbacks are currently closed.