Thanks Samuel,
On 10/02/18 09:29, Samuel Sieb wrote:
On 02/05/2018 01:01 PM, Eyal Lebedinsky wrote:
> As of a month ago I started getting warnings from certwatch saying
> The certificate for Certificate Shack has expired
> and
> The certificate for Frank Alpha has expired
> which have now expired a week ago.
>
> I wanted to find out who these hosts are and should I care about the expired certs.
>
> So far I found these two (and no others) mentioned in the file
> -rw-r----- 1 root apache 65536 Jan 26 2014 /etc/httpd/alias/cert8.db
> which is an old file which seems to be part of the mod_nss package.
>
> Are these real certs? Test ones left there for no reason?
>
> If they are not needed then what is the correct way to remove them, short of
> removing the nss_mod module.
I expect they are sample certs, but I don't know why they are included. I don't
see those on my server, but my database is much older.
To remove them, go to the /etc/httpd/alias directory. Run "certutil -L -d ."
to make sure of the names.
$ sudo certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
alpha u,pu,u
'man certutil' seems to not list the meaning of the attributes flags.
I can guess C and T from the args to '-t' but 'u' is not listed. Maybe
just 'untrusted'?
Then you can run "certutil -D -d . -n 'Frank
Alpha'" for example to remove them from the database.
$ sudo certutil -D -d . -n 'Frank Alpha'
certutil: could not find certificate named "Frank Alpha":
SEC_ERROR_BAD_DATABASE: security library: bad database.
$ sudo certutil -D -d . -n alpha
$ sudo certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
$ sudo certutil -D -d . -n cacert
$ sudo certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
I will keep an eye on any unusual messages.
--
Eyal at Home (fedora(a)eyal.emu.id.au)