My certificates keep expiring every day


(Dan S) #1

in he certificate manager, every day I have to add my certificates back. I have no idea why but Certs keep going away as expired every day.

I am on a open source only code base on Rhel 7 so I don’t have system admin.
latest version of freepbx.


#2

What kind of certs?


(Dan S) #3

Certs issued by enttrust. so public paid certs for he hostname .


(Dan S) #4

So every day I have to import from the local file system,

if finds them se to default . Why? and what can I do to fix it?


#5

I’ll try to take a look when I get a minute, but not sure I’ll be much help. I haven’t worked the imported cert code at all.


(Dan S) #6

Any help would be great.


#7

By what exact method do you “import from the local file system” ?
GUI?, fwconsole?, shell script?


(Dan S) #8

I go to the Certificae manager,

Click on import locally
hen I click on the certificate I want as default.


#9

How exactly does the certificate/key get into /etc/asterisk/keys ?


(Dan S) #10

I went to the certificate manger page and used the New certificate, Upload certificate option and pasted in the values.


#11

You said you had bought a commercial one from enttrust. So, to eliminate mistakes , from a shell, just copy the key as domain.name.key and the cert as domain.name.crt into /etc/asrerisk/keys, then check your work with

fwconsole certificates --help
fwconsole certificates --list
fwconsole certificates --import
fwconsole certificates --list
fwconsole certificates --updateall
fwconsole certificates --details=ID
fwconsole certificates --default=ID

(Dan S) #12

Its reimported and I have made the default the right cert with the fwconsole certificate commands.

thats a great command, Lets see what happens tomorrow morning.


#13

Just wondering whether you are seeing expired certs in your web browser’s rendered pages, if so, make sure your webserver is referencing the current ssl crt and key in /etc/asterisk/keys , a quick diagnostic and not knowing what webserver a user is using

 grep -ri ssl  /etc/{apache2,nginx,httpd} 

and a more explicit

 grep -ri ssl  /etc/{apache2,nginx,httpd}|grep keys

would reveal what the webserver is currently set to use and you might also need to reload/restart said webserver to re-reference the new /etc/asterisk/keys/*.{key,crt} files


(Dan S) #14

Hi

data from grep 1 is right
and
Grep 2 is likely a issue in that key works but keys doesn’t find anythign as my key file .key not a .keys.

The cert I needed is still present!


#15

Not too helpful, please actually post the results of the first grep if it’s still not working


(Dan S) #16

Certs are staying now so its good.