Strange SSL system message


Recommended Posts

So I got this exact message from my server this morning. Any idea as to what it is or what I should do about it?

WARNING: certificate /etc/ssl/certs/ca-certificates.crt

    is about to expire in time equal to or less than 7 days from now on,

    or has already expired - it might be a good idea to obtain/create new one.

 

    NOTE: This message is being sent only once.

 

    A lock-file

    /var/run/certwatch-mailwarning-sent-ca-certificates.crt

    has been created, which will prevent this script from mailing you again

    upon its subsequent executions by crond. You dont need to care about it;

    the file will be auto-deleted as soon as you'll prolong your certificate.

Link to comment

I am not sure if I am right but Ill go by memory and try and help before I nip off to work. I am assuming you have some knowledge of SSL and or can remember when you setup whatever is using it. I am also assuming that SSL is not required by Unraid (because I don't think it is even shipped with it) and is actually for something else you have on your box entirely. If this is not true or you are unsure, PAUSE and wait for someone with a little more Unraid Skills to chime in.

 

So, moving on from the above .....

 

You have SSL running and you have SSL certificates that need renewing. I suspect there was a cron job setup to automatically issue a warning message in the log when an SSL certificate is about to expire.

 

To check the status of your certificates I think you can use the following to check if this is correct. After telnet'ing into your box us this command

 

"openssl x509 -enddate -noout -in fileinquestion.pem or fileinquestion.crt"

 

The output will tell you the date of expiry right then.

 

The certificate needs to be renewed; this can be done by generating a new key pair. Until you do so I think it likely that web clients will not be able to correctly connect to the web site using SSL until the certificate is renewed.

 

When you generate the new key (using the genkey tool I believe), you are going to be generating a new public & private key pair, from which a certificate is then created. You are NOT 'renewing' the certificate as the log implies you must. I think it is possible to renew a certificate based on your existing key pair, but I think because it is so so easy to just just the tools to generate a new pair that it is just easier this way.

 

I hope this helps push you in the right direction or generates some more discussion for you to aid you in your issue.

 

Link to comment
  • 2 years later...
1 minute ago, Dabear3 said:

Today I received the same email warning as shown in post #1.

 

I'm a little lost. Can someone please explain to me how to generate a new key pair (as suggested in post #2).

 

Does your server have the correct date and time?

 

You have posted this in the legacy section of the forum in a thread that is over 2 years old. Are you really using V5 or older? If not, start a new thread in V6 General Support.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.