Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: charlies on June 23, 2007, 02:50:50 AM
-
Today I started receiving error messages for secure web and email access. The message indicates that the certificate has expired. Is there a server-manager screen or shell command that I should execute in order to generate an updated certificate? I am running SME 7.1.3.
Thanks,
Charlie
-
Your certificate might fix itself if you run 'reconfigure' and 'reboot' from server-manager::Administration::Reboot or shutdown.
Alternatively, use a shell to run signal-event post-upgrade
signal-event reboot
-
No luck. I ran the shell commands but my browser and mail client are still complaining. Any other ideas?
- Charlie
-
charlies
Did you do anything ie upgrade, install a CA certificate or similar immediately before the errors started ?
If you are using a self signed certificate from sme, then when it gets renewed automatically on the install date anniversary, your browser needs the old certificate details to be deleted and the new certificate installed (to your browser), see Tools Options. This has nothing to do with sme.
-
No, I did not make any changes prior to the certificate expiring. I am using the standard self signed certificate generated by SME. I just cleared out all of my certificates from my browser, but no change. Is there a way that I can check to see if/why SME is not automatically generating the certificate?
- Charlie
-
charlies
Please do
signal-event post-upgrade
signal-event reboot
Then remove old certificates from your browser.
Then reinstall the "new" certificate when you first surf to the https site
Out of interest is it approx a year since you installed sme server ?
If the above doesn't improve things, there is a good howto for creating a cacert certificate, see
http://wiki.contribs.org/Custom_CA_Certificate
-
Please do
signal-event post-upgrade
signal-event reboot
No, please do not do anything but report details of your problem via the bug tracker. SME server should always have current self-signed certificates. If it doesn't, there is a problem to be corrected.
-
Mr. Brady,
I was wondering how long it would be before you made that suggestion :D . I would like to perform a bit more investigation before I move this over to the bug list since it may very well be operator error. The more that I think about it, I may not be using the built in certificates. Doesn't the built in certificate generator generate a certificate for the FQDN of the server? In my case, that would be gw.poliac.com. I think that I was having problems with that, since I wanted to be able to connect to simply poliac.com. I have been running SME for so long, and performed so many upgrades, I cannot remember all of the little tweaks that I have performed over the years (since e-smith 3.x I believe). So perhaps this is not a bug, but a problem with my setup. Is it true that I will need to follow the howto for creating a cacert certificate
in order to have my certificate be for poliac.com rather than gw.poliac.com?
- Charlie
-
I know this post has not had any responses for a while, but to let people know in the future about my experience.
My certificate has expired a week ago, I was patiently waiting for it to replace itself, without any luck. So I did:
signal-event post-upgrade
signal-event reboot
And I got a new certificate right afterwards.
-
calisun,
I have experienced the same a few days ago. From the timestamp of the cert file in /home/e-smith/ssl.crt/ I could see that a new certificate was created.
A "service httpd-e-smith restart" solved the problem. No reboot was needed.
See also http://bugs.contribs.org/show_bug.cgi?id=2257 and http://bugs.contribs.org/show_bug.cgi?id=4134