HTTP Strict Transport Security global cert refresh

Question

So, I probably screwed up when I set up HSTS and didn't refresh my certificate in time. Browsers now have a cache of my old certificate and don't seem to be contacting my server to request a fresh cert. Is there some server trick to force clients to refresh an out of date certificate on an HSTS enabled server?

Using lighttpd and letsencrypt.

1.) Why don't you just refresh your cert? 2.) Try to set the HSTS header to `max_age=0`. — gxx, Jul 07 '16 at 21:44
Could you please provide the domain / url? Also: I didn't advise to remove the HSTS header, but to set `max_age` to `0`. — gxx, Jul 07 '16 at 21:55
Tried that too, but same result. http://highaltitudearchery.com (https://highaltitudearchery.com) — PaulProgrammer, Jul 07 '16 at 21:58
The webserver sends an expired cert. You refreshed the cert, you wrote? If so, you should check that (and your config). — gxx, Jul 07 '16 at 22:01

score 0 · Accepted Answer · answered Jul 07 '16 at 22:55

0

It turns out that lighttpd needs to have the private key and certificate concatenated. After running the refresh for letsencrypt I just had to regenerate the ssl.pem by running:

cat privkey.pem cert.pem > ssl.pem

Feeling a little silly.

answered Jul 07 '16 at 22:55

PaulProgrammer

131
6

HTTP Strict Transport Security global cert refresh

1 Answers1