Hrm, SSL issues?
Chris Weyl
chris.weyl at gmail.com
Tue Nov 8 19:23:27 UTC 2005
On 11/8/05, Dan Williams <dcbw at redhat.com> wrote:
> First thing I'd try in this situation is using openssl to try to verify
> the certificates against their CA certificate. If the openssl verify
> fails, there's something in the certificate that's bad. Also make sure
> the CA certificate hasn't expired.
>
> Previous version of the plague certhelper.py utility incorrectly expired
> CA certificates after 30 days, which has been fixed.
Nuts. It looks like that's exactly what happened here... The
individual certs claim to be good to 2015, but the CA certs are
definitely expired: "error 10 at 0 depth lookup:certificate has
expired".
I don't suppose there's an easy fix for this? (Never too early in the
week for wishful thinking.) Or is the fix to go and recreate the
CA's, and reissue all new certs to everyone?
> openssl verify [-CApath directory] cert.pem
>
> Something like ^^^^^ should do the trick, you may have to check on the
> exact arguments to use.
For the sake of others googling:
openssl verify -CApath /etc/plague/ca_dir
/etc/plague/ca_dir/buildsystem_ca_cert.pem
does the trick.
-Chris
More information about the buildsys
mailing list