On Tue, 2005-11-08 at 14:23 -0500, Chris Weyl wrote:
On 11/8/05, Dan Williams <dcbw(a)redhat.com> wrote:
> First thing I'd try in this situation is using openssl to try to verify
> the certificates against their CA certificate. If the openssl verify
> fails, there's something in the certificate that's bad. Also make sure
> the CA certificate hasn't expired.
>
> Previous version of the plague certhelper.py utility incorrectly expired
> CA certificates after 30 days, which has been fixed.
Nuts. It looks like that's exactly what happened here... The
individual certs claim to be good to 2015, but the CA certs are
definitely expired: "error 10 at 0 depth lookup:certificate has
expired".
I don't suppose there's an easy fix for this? (Never too early in the
week for wishful thinking.) Or is the fix to go and recreate the
CA's, and reissue all new certs to everyone?
Unfortunately, I think that's the fix :( Sorry about that, it was my
fault originally though I'll note that for whatever reason the line
[CA_default]
default_days = 3650
in the openssl conf file didn't actually make the CA certificate valid
for 10 years, necessitating using the command-line option... go figure.
Dan