Hrm, SSL issues?
Dan Williams
dcbw at redhat.com
Wed Nov 9 02:05:31 UTC 2005
On Tue, 2005-11-08 at 14:23 -0500, Chris Weyl wrote:
> On 11/8/05, Dan Williams <dcbw at redhat.com> wrote:
> > First thing I'd try in this situation is using openssl to try to verify
> > the certificates against their CA certificate. If the openssl verify
> > fails, there's something in the certificate that's bad. Also make sure
> > the CA certificate hasn't expired.
> >
> > Previous version of the plague certhelper.py utility incorrectly expired
> > CA certificates after 30 days, which has been fixed.
>
> Nuts. It looks like that's exactly what happened here... The
> individual certs claim to be good to 2015, but the CA certs are
> definitely expired: "error 10 at 0 depth lookup:certificate has
> expired".
>
> I don't suppose there's an easy fix for this? (Never too early in the
> week for wishful thinking.) Or is the fix to go and recreate the
> CA's, and reissue all new certs to everyone?
Unfortunately, I think that's the fix :( Sorry about that, it was my
fault originally though I'll note that for whatever reason the line
[CA_default]
default_days = 3650
in the openssl conf file didn't actually make the CA certificate valid
for 10 years, necessitating using the command-line option... go figure.
Dan
More information about the buildsys
mailing list