9 Replies Latest reply: May 26, 2011 8:53 AM by anothersmurf
laynefromchicago Level 1 Level 1 (0 points)

I get the following from my Snow Leopard server:

The following certificate has expired on your server, layne.local:

 

        Name: localhost

        Expiration Date: 2011-03-02 03:31:19 -0600

I looked around for how to fix my issue including reading Advanced Server Admin.  It tells me to do this on page 71:

Renewing an Expiring Certificate

Certificates have an expiration date and must be renewed periodically. Renewing a

certificate is the same as replacing a certificate with a newly generated one with an

updated expiration date.

To renew an expiring certificate:

1 Request a new certificate from the CA.

If you are your own CA, create one using your own root certificate.

2 In Server Admin in the Server list, select the server that has the expiring certificate.

3 Click Certificates.

4 Select the Certificate Identity to renew.

5 Click the Action button and select “Replace Certificate with Signed or Renewed

Certificate.”

6 Drag the renewed certificate to the sheet.

7 Click Replace Certificate.

Replacing an Existing Certificate

If you change the DNS name of the server or any virtual hosts on the server, you must

replace an existing certificate with an updated one.

To replace an expiring certificate:

1 Request a certificate from the CA.

If you are your own CA, create one using your own root certificate.

2 In Server Admin in the Server list, select the server that has the expiring certificate.

3 Click Certificates.

4 Select the Certificate Identity to replace.

5 Click the Action button and select “Replace Certificate with Signed or Renewed

Certificate.”

6 Drag the replacement certificate to the sheet.

7 Click Replace Certificate.

I guess I don't know how to create the replacement certificate and I'm not familair enough with the certificate process to ask pertinent questions.

I tried to create my own certificate and drag it from the etc/certificates folder to the expired certificate and it said things didn't match.  There are some posts here in the forums, yet they didn't help me any more than RTFM.

Can anyone tell me how to renew an expired certificate?

Thanks.


Mac mini, Mac OS X (10.6.7)
  • pheno Level 1 Level 1 (5 points)

    Hi,

     

    in server admin (server settings/certificates) you can remove and add/create certificates to your server.

    Adding a cert will open a wizard which will guide you through the process regardless if you need a self-signed cert or not.

    Cheers

  • MrHoffman Level 6 Level 6 (13,275 points)

    The certificate renewal sequence works if you've purchased a commercial certificate or if you're running your own certificate chain.  That the DNS name here is not a public domain name would imply that this is not a commercially-purchased certificate, and given you're asking the question you're probably not running your own certificate chain would imply you're not running your own chain.

     

    In this case, you can create a new self-signed certificate using Certificate Assistant, and load it into the system keychain on the server. 

     

    Launch Keychain, select Certificate Assistant via the menu, and create yourself a self-signed certificate with a matching domain name.

     

    If you're running SSL on any of the services, you'll have to re-select the certificates to your newly-created and newly-loaded self-signed certificate, and restart the services.

     

    Alternatively, you can purchase a commercial certificate, and load that.  (If you're running your own clients or clients you control, you can either purchase the necessary certificates, or you can set up your own certificate root and certificate chain.  The level of security is the same for both commercial and self-generated, so long as the root certificate distribution path is trusted.)

     

    As a somewhat-related discussion to this certificate for this server, that certificate domain name implies there is a DNS configuration error, as well.  Launch Terminal.app and issue the command sudo changeip -checkhostname and see whether the current DNS set-up is valid or if there are corrections needed.  You will need to enter an administrative password for the sudo.

  • laynefromchicago Level 1 Level 1 (0 points)

    I created a certifcate identity "localhost" from the Server Admin.  Its a self-signed root certificate while the expired "localhost" is Root certificate authority.

    I clicked "replace Certificate With Signed Or Renewed Certificate...", then went to /private/etc/certificates and dragged the newly created certificate (.key.pem, .concat.pem, .chain.pem, .cert.pem) onto my expired one and got errors.  Some errors said some files weren't keys and then one said the does not match private key.

     

    From MrHoffman:

    In this case, you can create a new self-signed certificate using Certificate Assistant, and load it into the system keychain on the server. 

     

    Launch Keychain, select Certificate Assistant via the menu, and create yourself a self-signed certificate with a matching domain name.

    I have no idea what to type in the fields in the wizard and can't find any documentation on what to do.  The help files explain a lot, yet it's all Greek to me.

     

    Thanks again for any further assistance.

  • MrHoffman Level 6 Level 6 (13,275 points)

    You can't renew this certificate given the way that it's been created, and this certificate is also effectively junk.  (And given that the domain name here is, well, junk, you could simply ignore the expiration and continue onward with whatever errors arise here, too.)

     

    The host name "localhost" is a generic name of any host on the Internet.  It's the IP analog of "me" in English, and not a specific name of a specific host.  Every host on an IP network will honor "localhost" as a valid name for itself, for instance.

     

    As for the recipe you're asking for: Keychain Access > Certificate Assistant > select Create a Certificate > enter the fully-qualified host name for the server as the name, select self-sized root, select the SSL Server certificate type > OK the self-signed certificate diagnostic to dismiss it > done.

     

    Return to Keychain Access, find the certificate that you've just created in the local keychain (you can select My Certificates to look just at the local certificates), and drag the new certificate over to the system keychain.  Drag the certificate over to the System keychain entry in the left navigation and drop it, enter your admin password, and select Always Trust and enter your admin password again.

     

    Move to Server Admin, and select the particular services that need the certificate replaced, and select the old certificate listed in the typical display, and (when you select the old certificate) scroll to and release the control to select the new certificate.

  • laynefromchicago Level 1 Level 1 (0 points)

    My guess is the localhost certificate was created when the server was created as you know I didnt create it manually.

    I do have a certificate created with my FQDN of the server which expires 7/23/11, so this discussion will be helpful towards that.

    The FQDN cert is a self-signed root cert.  I'll try and follow your outlined steps to get that one renewed.  I actually don't think I'm even using the certificates for anything at this point, so I'm just going to disable the notification until I actually need a certificate if it's not going to hurt anything to have expired certs...

     

    Thanks a lot for all your help.

  • MrHoffman Level 6 Level 6 (13,275 points)

    You can't renew a self-signed certificate.  You would simply replace it.  

     

    (Well, not without having established a root certificate and the associated certificate chain.  Then you can sign and renew your own certificates.  That's slightly arcane, however.)

  • anothersmurf Level 1 Level 1 (20 points)

    I followed these instructions (thank you), but am having a new problem. When I check the certificate from another computer (with openssl s_client -connect) I get the message "Verify return code: 21 (unable to verify the first certificate)". Do you know what that means and how I can fix it?

     

    Also I noticed that the certificate I created following your instructions doesn't have, and never prompted me to enter, certain "Subject Name" and "Issuer Name" data which is present in my original (now expired) certificate. Common name and country are the same though. Do other fields matter (organization, state, etc.) and if so how can I set them?

  • MrHoffman Level 6 Level 6 (13,275 points)

    Please post the command output up to the --BEGIN CERTIFICATE-- stuff.

     

    If you're going to obfuscate your domain, change it (consistently!) to example.com

     

    If you're using DNS in .local, then your DNS is messed up.

     

    If you're using localhost as the name on your certificate, your certificate is invalid.

     

    DNS is fundamental to running Mac OS X Server, and a great huge pile of stuff goes weird and goes sideways when DNS is misconfigured or unstable.

  • anothersmurf Level 1 Level 1 (20 points)

    Here's everything that comes before Begin Certificate:

     

    CONNECTED(00000003)

    depth=0 /CN=example.com/C=US

    verify error:num=20:unable to get local issuer certificate

    verify return:1

    depth=0 /CN=example.com/C=US

    verify error:num=21:unable to verify the first certificate

    verify return:1

    ---

    Certificate chain

    0 s:/CN=example.com/C=US

       i:/CN=example.com/C=US

    ---

    Server certificate

     

    Everything seems to be working fine for clients that were bound to the directory server before the cetificate expired. The DNS service isn't running on this server, we use a different DNS server. The old and new certificates both have the same name, example.com (not localhost).