1

This is a bit of a weird one.

Every morning I get an email telling me one of my certificates is expired.

################# SSL Certificate Warning ################

  Certificate for hostname '*.floodtrack.com', in file (or by nickname):
     /etc/pki/tls/certs/wildcard.floodtrack.com.crt

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

##########################################################
                                  Generated by certwatch(1)

Where this is coming from is a frustrating mystery.

Running certwatch from the command line generates no output and a status code indicating the cert is good or cannot be parsed (status code 1).

sudo /usr/bin/certwatch /etc/pki/tls/certs/wildcard.floodtrack.com.crt;echo $?
1

Running the wrapper script at /etc/cron.daily/certwatch by hand does not generate an email and openssl report the cert has not expired

openssl x509 -noout -text -startdate -enddate -in /etc/pki/tls/certs/wildcard.floodtrack.com.crt

notBefore=Sep 20 00:00:00 2020 GMT
notAfter=Oct 21 23:59:59 2021 GMT

Apache is picking up and using the correct cert.

Everything about the email looks legitimate but it is obviously wrong. Any ideas on why it is happening and how to fix it?

scarville
  • 51
  • 6

2 Answers2

0

Possibly you are not investigating the same file as the utility that generates the mail.

This one expired, this one has not expired - a good explanation despite precisely matching file paths is: you have run your openssl x509 on a different machine or container (or on a machine with time/date setup differently) than the utility that generated your mail.

Most likely you can figure out who exactly sent you the mail by looking at the emails raw source, there is probably a more descriptive host name somewhere in the headers. Then, locate that machine and figure out why it has installed an older certificate.

anx
  • 8,963
  • 5
  • 24
  • 48
  • Looking at the email headers to determine the source was my first step. I just tried the simple expedient of deleting the symlink and copying the cert file instead of just symliking. I'll see tomorrow if that helps. – scarville Oct 19 '20 at 22:47
  • OK, that did not work... – scarville Oct 20 '20 at 14:12
0

Turns out a the two machines and at least one other were resurrected in VMWare. How, I do not know but it was those that were sending the anomalous messages. I shut them down which should stop the false alerts -- unless some nimrod turns them back on again...

Stephen Carville
  • 18
  • 1
  • So.. the source of the mail would have been easier to discover if some monitoring or log collection system had noticed two machines reporting in with identical hostnames? Guess that is one lesson to be learned. – anx Nov 03 '20 at 21:43