Topic: Certificate error after changing server name

[jklapp]

I did something really stupid... I changed my server name in Server Console and now I'm getting a certificate error.

There is a problem with this website's security

I checked the error and it says "Untrusted Certificate" (This CA root certificate is not trusted) but the "issued to" and "issued by" names match???

I changed it back to the original name, but I'm still getting the same error ... Any suggestions???

Thanks in advance... You guys are great!!

[mmccarn]

If you haven't done so yet, do a signal-event post-upgrade followed by a signal-event reboot.

Or, according to http://wiki.contribs.org/Certificate you might need to

Code: [Select]

expand-template /home/e-smith/ssl.crt/crt
expand-template /home/e-smith/ssl.key/key
signal-event domain-modify
signal-event email-update

[cactus]

I changed it back to the original name, but I'm still getting the same error ... Any suggestions???

Thanks in advance... You guys are great!!

That is normal behavior, on every name change a new certificate is generated by the server automatically. Each time the certificate is generated it will have a different check-sum. You probably are prompted with a message saying if you would like to trust this certificate (for this time only, permanently or not), am I right?

The warning you are shown is not an error but a warning, I think, that the certificate is a so-called self-signed certificate and that the trusted authority is not known. Normally certificates are signed by trusted authorities (e.g. VeriSign or others) yours is not as it is generated by your server, therefore you receive this warning.

By installing the certificate on your client, you will not be warned (in th future). Name changes or certificate changes will then result in unaccessible server-manager pages (until you remove the old certificate or install the updated one).

[jklapp]

If you haven't done so yet, do a signal-event post-upgrade followed by a signal-event reboot.

Or, according to http://wiki.contribs.org/Certificate you might need to

Code: [Select]

expand-template /home/e-smith/ssl.crt/crt
expand-template /home/e-smith/ssl.key/key
signal-event domain-modify
signal-event email-update

I did all the above, but I'm still getting the same thing

[jklapp]

That is normal behavior, on every name change a new certificate is generated by the server automatically. Each time the certificate is generated it will have a different check-sum. You probably are prompted with a message saying if you would like to trust this certificate (for this time only, permanently or not), am I right?

The warning you are shown is not an error but a warning, I think, that the certificate is a so-called self-signed certificate and that the trusted authority is not known. Normally certificates are signed by trusted authorities (e.g. VeriSign or others) yours is not as it is generated by your server, therefore you receive this warning.

By installing the certificate on your client, you will not be warned (in th future). Name changes or certificate changes will then result in unaccessible server-manager pages (until you remove the old certificate or install the updated one).

Before I did the name change I never got this warning... The warning came after I changed the name ???

[jklapp]

Here is another question... on http://wiki.contribs.org/Certificate two commands given don't work...

my $CommonName = "special.myserver.com";

I get

-bash: my: command not found

use constant KEYLIFEINDAYS => 730;

I get

-bash: use: command not found

[Marco Hess]

-bash: my: command not found

That is because they are not bash commands but strings in the ssl.crt script that you need to edit

Marco

[jklapp]

I have SO MUCH to learn 

Is there an easy way to change the CommonName at shell?

[raem]

jklapp

Before I did the name change I never got this warning... The warning came after I changed the name

Re-read cactus's post.

You renamed the server, so each time you do that, the server generates a new self signed server certificate, so therefore you need to install the new (latest version of) certificate in your browser(s). You probably did this long ago for the previous certificate name, but have forgotten.

Simply changing your server name back to what it was previously will not allow the old certificate to be recognised, as a new version of the certificate has since been created.

You are given the opportunity to install the current (latest version) of the certificate when you browse to your server using https://.....
Do this for each browser "brand" you use.

[cactus]

You are given the opportunity to install the current (latest version) of the certificate when you browse to your server using https://.....
Do this for each browser "brand" you use.

As well as for your mail clients if you are using pops or imaps access.

[jklapp]

I forgot to answer this question...

You probably are prompted with a message saying if you would like to trust this certificate (for this time only, permanently or not), am I right?

No...  it says....

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).

[cactus]

Continue to this website (not recommended).

So it does say yes (more or less), did you try continue? It should present you the website.

Like explained earlier: this is a warning saying that the site might be forged as one of the requirements normally met by a certificate is not met in your case (and many SME Server users). Just choose continue if you trust the website (if it is your own, this should not be an issue).

If possible install the certificate (on every client, for every browser), like Ray stated earlier, if you do so you explicitly state that you trust this certificate and you will not be prompted anymore that the certificate is not signed by a trusted authority.

[jklapp]

Now this is interesting... I just connected to my site via https and the problem is gone... Some how it corrected itself.   I don't understand why, or how, but I'm happy it's gone!!!

I do have one more question about the built in certificate... How is the expire date changed?... Mine reads 9-10-2008... I been reading the forums but I haven't found the answer.

[raem]

jklapp

The self signed certifcate is re-issued/regenerated automatically at the yearly anniversary date of your sme installation.

[jklapp]

Thank you all so much for your help... I'm happy to report, I've got everything transferred from my NT Machine to SME and the NT Machine is turned off !!!  Saying goodbye to Microsoft really felt good!!!!!!!!!!!!! 

There is only one more thing I need to do and I will be in good shape... I need to setup a cron to run

http://www.domainname.com/news/index.php?module=SSNews;sa=updatecache;func=cron;key=77e

Could someone point me to some examples on how this is done?

Thanks again... I wish I would have switch to SME years ago!!