The certificate for plesk has expired - PROBLEM

[dave@]

 ################# SSL Certificate Warning ################

 Certificate for plesk, in '/etc/httpd/conf/httpd.pem':

  The certificate needs to be renewed; this can be done
  using the 'genkey' program supplied with Red Hat
  Enterprise Linux.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(8)

I have already updated the self-signed certificate on my server and my GeoTrust certificate is coming up for renewal in November, so why am I getting these emails everyday? PLESK and all other https connections work fine... Any reccommendations?

 

[jamesyeeoc]

Did you manually verify the date on the /etc/httpd/conf/httpd.pem file? Does it show the new 2005 creation/modification date?

 

[dave@]

Excuse my ignorance, but how do I do that?

 

[jamesyeeoc]

Sorry, I saw you registered in 2001, so I figured you would know this by now. Do you have SSH root access to the server? If so, then connect via SSH, login as root, CD to the directory (cd /etc/httpd/conf) and do: ls -al

 

[dave@]

[root@psa1 conf]# ls -al
total 300
drwxr-xr-x    7 root     root         4096 Aug 30 21:53 .
drwxr-xr-x    4 root     root         4096 Jun 28 21:45 ..
-rw-r--r--    1 root     root        35400 Aug 30 21:53 httpd.conf
-rw-r--r--    1 root     root        35398 May  9 20:30 httpd.conf.save_by_frontpage
-rw-r--r--    1 root     root        35168 Sep 25  2003 httpd.conf.saved_by_psa
-rw-r--r--    1 root     root        35378 Aug 19  2004 httpd.conf.saved_by_psa.11.01;19:26
-rw-r--r--    1 root     root        35394 Nov 23  2004 httpd.conf.saved_by_psa.11.23;20:56
-rw-r--r--    1 root     root        35394 Nov 23  2004 httpd.conf.saved_by_psa.12.09;20:04
-rw-r--r--    1 root     root         9394 Aug 30 21:25 httpd.include
-rw-r--r--    1 root     root         8603 Aug 17 13:59 httpd.include.bak
-rw-r--r--    1 root     root         9394 Aug 30 21:25 httpd.include.new
-r--------    1 root     root         3293 Aug 19  2004 httpd.pem
-rw-r--r--    1 root     root        12959 Feb 25  2005 magic
lrwxrwxrwx    1 root     root           37 Aug 30 18:45 Makefile -> ../../../usr/share/ssl/certs/Makefile
drwx------    2 root     root         4096 Aug 30 18:45 ssl.crl
drwx------    2 root     root         4096 Aug 30 18:45 ssl.crt
drwx------    2 root     root         4096 Feb 25  2005 ssl.csr
drwx------    2 root     root         4096 Feb 25  2005 ssl.key
drwx------    2 root     root         4096 Feb 25  2005 ssl.prm

 

[jamesyeeoc]

Aug 19 2004 httpd.pem

This is the default Plesk (SWsoft) certificate which is installed for the Control Panel interface. If you login to the control panel and go to Server - Certificates, then click on 'default certificate', you will see this is the 2048 bit SWsoft, Inc. - Plesk certificate. You can compare the RSA Private key and Certificate (if you really want to).

As the warning states, you could use the 'genkey' program blah blah, or if you already have another valid certificate installed and listed in Server - Certificates, you could select it and click on 'Default'. You should then see the selected certificate in BOLD instead of the 'default certificate' in bold.

 

[dave@]

I tried that, it still gives me errors daily.

 

[alex042]

We had problems with this also. We couldn't get a new default cert to take until after we rebooted the server.

 

[dave@]

I have tried numerous times in PLESK to delete the OLD certificate, but it will not let me for some reason.

 

[jamesyeeoc]

Did you reboot the server as Alex042 suggested?

 

[dave@]

I sure did.

 

[dave@]

The reason I can't delete the old certificate is because the server thinks that there i s still IPs associated with it. But there isn't. I changed the default cerver certificate to another certificate, but the server still thinks that the old cert. is the default.

 

[1and1user]

Hi folks,

Looking that previous posts on this thread, I have rebooted my system, but still get errors that that popped up for reasons I don't understand.

I've been editing my httpd.conf file to debug problems with Bugzilla. I was getting the usual permission denied errors, and suddenly, got the 500 error:

HTTP Status 500 - No Context configured to process this request.

I thought this was due to my commenting out the DocumentRoot section by mistake, but fixing that did not solve the problem. And, with apache stopped, the same page problem appears.

Looking at my /home/httpd/vhosts/nanswi.com/statistics/logs/error_ssl_log file, I see:

[warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?

This dates back to when the problem occured. I looked at my cert setup, but it showed no certs. If there were none before, not sure why this would come up now.

After a timeout, I had to log in again, and now I see this on the web page:

ERROR
Unable to query database: Duplicate entry '36-Contact Name' for key 1

0: /usr/local/psa/admin/plib/class.ActionLog.php:638 psaerror(string "Unable to query database: Duplicate entry '34-Contact Name' for key 1")
1: /usr/local/psa/admin/plib/class.ActionLog.php:515 logcomponent->submit(integer "34")
2: /usr/local/psa/admin/plib/class.ActionLog.php:450 actionlog->submitbuffer_()
3: /usr/local/psa/admin/htdocs/login_up.php3:268 actionlog->submit()
4: /usr/local/psa/admin/htdocs/login_up.php3:128 createsessionadmin(string "login", string "passwd")
5: /usr/local/psa/admin/htdocs/login_up.php3:637 createsession(string "login", string "passwd")

Your help is appreciated.

Lars

 

[jamesyeeoc]

Originally posted by dave
The reason I can't delete the old certificate is because the server thinks that there i s still IPs associated with it. But there isn't. I changed the default cerver certificate to another certificate, but the server still thinks that the old cert. is the default.

If it is due to association with an IP, that might be in the /etc/httpd/conf/httpd.include file, one of the 'SSLCertificateFile' entries within a <VirtualHost xx.yy.zz.nn:443> sections. You would need to find out the certificate filename then search the httpd.include file for any occurences of the filename. (See below for finding the filename) But I would suspect that the problem lies in the 'psa' database.

I won't give a class in mysql usage, but just where to look. Whether you use mysql commandline or phpMyAdmin is up to you. If you don't already know how to use mysql, then I recommend you download and install phpMyAdmin, it's a GUI and quite easy to use by browser. I recommend putting it into a password protected folder on the SSL side of your site. (I have no clue as to your level of experience, I do not mean to offend)

Database 'psa', Table 'certificates', Field 'name' - find your new certificate name and note the 'id' number of it (for example let's say it is 'id' = 3)

Database 'psa', Table 'misc', Field 'param' = 'default_certificate_id' (which is probably val = 1, which would be the Plesk original certificate). Change this value to the 'id' found above, in this example it is 3.

Save the changes, exit.

REBOOT THE ENTIRE SERVER (I know people don't like doing that, but let's not mess around anymore with restarting services and hoping we do all the ones we need to)

Notes: If the /etc/httpd/conf/httpd.pem file does not contain the RSA Private Key and Certificate info of your new certificate, then you can also do the following (after doing the above procedure).

In the Db 'psa' Table 'certificates', also write down the 'cert_file' value for your certificate (Field 'name' will contain the friendly name you specified in Plesk c.p. when you entered it. (something like cert-y93CtA All certs have random names).

This will be the filename of your new certificate located in:

/usr/local/psa/var/certificates/

You can also try copying and renaming this file to:

/etc/httpd/conf/httpd.pem

(Remember to make a backup copy of the original httpd.pem file just in case)

Restart Apache.
Disclaimer: I am not responsible if your server crashes. Make a full backup before attempting any of this. Making changes to the database always has an associated risk. Do so only at your own risk. It's kind of like M$'s disclaimer about modifying the Windows Registry....same thing applies here to Plesk's database....

1and1user - First it is not nice to hijack someone else's post, especially when your problem is NOT the same as the original one being worked on.

Second, your error "[warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?" is common and is most likely NOT the cause of your 500 error. Please make a new post on the forum to address your problem. Do not continue posting about your problem in other people's threads unless it is THE SAME. Thank you. Also do a search on "500 Error", there have been at least a few other threads.

 

[Traged1]

Expired PLESK SSL certificate renewal HOW TO:

# mkdir /Some-Folder/SSL-Cert

# cd /Some-Folder/SSL-Cert

# openssl req -new -key /etc/httpd/conf/httpd.pem -out server.csr

# openssl x509 -req -days 360 -in server.csr -signkey /etc/httpd/conf/httpd.pem -out server.crt

# cp /etc/httpd/conf/httpd.pem /etc/httpd/conf/httpd.pem.bak

# vi server.crt

Copy all the certificate text

# vi /etc/httpd/conf/httpd.pem

Remove the old cerificate text and then paste new certificate text into it's spot.

# service httpd restart

 

[dave@]

Originally posted by Traged1
Expired PLESK SSL certificate renewal HOW TO:

# mkdir /Some-Folder/SSL-Cert

# cd /Some-Folder/SSL-Cert

# openssl req -new -key /etc/httpd/conf/httpd.pem -out server.csr

# openssl x509 -req -days 360 -in server.csr -signkey /etc/httpd/conf/httpd.pem -out server.crt

# cp /etc/httpd/conf/httpd.pem /etc/httpd/conf/httpd.pem.bak

# vi server.crt


# vi /etc/httpd/conf/httpd.pem


# service httpd restart

This did not work at alll....

 

[leobag]

The beginning of this new year has brought me to the same situation. Our server's self-signed certificate has expired and I am having difficulty locating a solution how to update it. I would much rather update or renew the currently expired certificate - because there are people using it. I looked at Traged1's option, but dave says it did not work.

So how can I update the certificate? Also, would it be possible to extend the validity to say 5 years instead of 1 year?

Thanks,
Leo

 

[leobag]

anyone that can assist with this?

Thank you

 

[Traged1]

I am not sure what Dave did not due properly, but it has worked on two of our RHEL 3 servers without any problems what so ever.

I would suggest giving my solution a try if you are using Redhat Linux or any other flavor of Linux and if it does not work, please let me know.

 

[Traged1]

I will repost my solution since in Dave post he appears to have a few things mixed up:

# Renew expiring PLESK SSL certificate

mkdir /home/somefolder/SSL-Cert

cd /home/somefolder/SSL-Cert

openssl req -new -key /etc/httpd/conf/httpd.pem -out server.csr

openssl x509 -req -days 360 -in server.csr -signkey /etc/httpd/conf/httpd.pem -out server.crt

cp /etc/httpd/conf/httpd.pem /etc/httpd/conf/httpd.pem.bak

vi server.crt
# Copy all the certificate text

vi /etc/httpd/conf/httpd.pem
# Remove the old cerificate text and then paste new certificate text into it's spot.

service httpd restart