[SOLVED] F16 Server Cert Expired

[pnelsonsr]

One of our servers running F16 (we have not gotten around to upgrading it...) started sending the following to root in an email.

Code:

################# SSL Certificate Warning ################

  Certificate for hostname 'server11.<servername>.com', in file (or by nickname):
     /etc/pki/tls/certs/localhost.crt

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
 Generated by certwatch(1)

Because it is a self-signed cert you really can not use genkey to renew, so I tried issuing a new self-signed cert with

Code:

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

and grabbed the location of the certs

Code:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Then I checked the permissions of these files with

Code:

la /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key

Then I created the cert with

Code:

openssl req -new -days 365 -x509 -nodes -out /etc/pki/tls/certs/localhost.crt -keyout /etc/pki/tls/private/localhost.key

When prompted I entered

Code:

Generating a 2048 bit RSA private key
..........................................+++
.................+++
writing new private key to '/etc/pki/tls/private/localhost.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:<MyState>
Locality Name (eg, city) [Default City]:<MyCity>
Organization Name (eg, company) [Default Company Ltd]:<MyCompany>
Organizational Unit Name (eg, section) []:<MyDepartment>
Common Name (eg, your name or your server's hostname) []:server11.<servername>.com
Email Address []:<Admin Email>

I then checked the files again with

Code:

la /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key

All looked OK and the new files were there with the right permissions. So all seemed to work out fine but I'm still receiving the cert expiration warning. What am I missing?

[pnelsonsr]

OK I tried the following:
1. moved old /etc/pki/tls/private/localhost.key to a backup dir
2. moved old /etc/pki/tls/certs/localhost.crt to a backup dir
3. then I used genkey to create a new cert with:

genkey localhost --days 365

I used the recommended size and did not create a CSR
I put in all the cert data when asked and it created the cert files localhost.crt and localhost.key in the places that I move the old ones out of in steps 1 and 2.
4. I ran certwatch with:

/etc/cron.daily/certwatch

and I did not get the expired email.

So I'm test this a bit more but I'm hoping that this did the job.

OK so that didn't work either as I got the email this morning stating that the cert has expired. I guess I don't know what is going on here... Anyone have any suggestions?

[pnelsonsr]

Should I just turn off certwatch?

[pnelsonsr]

I never did come up with a solution to this. No one else seemed to know either. But an upgrade to F17 and then to F18 removed it from being a concern for right now.