Updating expired certificates
On mageia infrastructure, we have 2 types of certificates :
- self signed certificate, for internal usage - user facing external website, where we use
Certificate are managed by puppet.
checking expiration date of a certificate
# openssl x509 -in /etc/ssl/openldap/ldap.mageia.org.pem -text -noout | grep -A2 Validity Validity Not Before: Oct 21 07:37:31 2016 GMT Not After : Oct 21 07:37:31 2017 GMT
self signed certificate
If a certificate is expired, the easiest ( provided that's not the wildcard certificate, see later for this one ) is to erase the file ( for example, in /etc/ssl/apache/$VHOST.pem ) and to run puppetd again :
# rm /etc/ssl/apache/forums.mageia.org.pem # puppetd --test # /etc/init.d/httpd restart
Restarting the affected service is needed, or the old certificate would still be used.
If the certificate is expired this will prevent puppet from fixing it, so you need to manually create it:
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/openldap/ldap.mageia.org.pem -out /etc/ssl/openldap/ldap.mageia.org.pem -subj '/CN=ldap.mageia.org'
Wild card certificate