SHARE
TWEET

Untitled

a guest May 9th, 2016 100 Never
  1.  
  2.  
  3.  
  4. The system log:-
  5.  
  6. system.log:May  9 10:45:05 odserver-1 certupdate_web[12598]:  "replace" the cert "/etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem" with "/etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9.cert.pem"
  7. system.log:May  9 10:45:06 odserver-1 SetProxyCert.py[12604]: serviceproxy[replaceAllDefaultCerts certificate = /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9 getCertPathList =0]
  8. system.log:May  9 10:45:14 odserver-1 certupdate_web[12598]: Web Config updated with replacement cert
  9. system.log:May  9 10:45:14 odserver-1 SetProxyCert.py[12642]: serviceproxy[replaceAllDefaultCerts certificate = /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9 getCertPathList =0]
  10. system.log:May  9 10:45:14 odserver-1 certupdate_web[12598]: Proxy Config updated with replacement cert
  11. system.log:May  9 10:45:15 odserver-1 mail_cert_handler[12645]: command: "replace" certificate: /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem with: /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9.cert.pem
  12. system.log:May  9 10:45:15 odserver-1 radius_cert_update.pl[12668]: Received "replace /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9.cert.pem" command.
  13. system.log:May  9 10:45:15 odserver-1 radius_cert_update.pl[12668]: RADIUS is not configured with /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem, nothing to replace.
  14. system.log:May  9 10:45:16 odserver-1 ServerEventAgent[6355]: CertsKeychainMonitor: removing exported files for replaced certificate '/etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem'
  15.  
  16.  
  17.  
  18. From ASL logs
  19.  
  20. serviceproxy[replaceAllDefaultCerts certificate = /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62 getCertPathList =0]
  21. May  9 10:45:06 odserver-1 SetProxyCert.py[12604] <Critical>: serviceproxy[replaceAllDefaultCerts certificate = /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9 getCertPathList =0]
  22. May  9 10:45:14 odserver-1 SetProxyCert.py[12642] <Critical>: serviceproxy[replaceAllDefaultCerts certificate = /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9 getCertPathList =0]
  23. May  9 10:45:15 odserver-1 mail_cert_handler[12645] <Notice>: command: "replace" certificate: /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem with: /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9.cert.pem
  24. May  9 10:45:15 odserver-1 radius_cert_update.pl[12668] <Notice>: Received "replace /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9.cert.pem" command.
  25. May  9 10:45:15 odserver-1 radius_cert_update.pl[12668] <Notice>: RADIUS is not configured with /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem, nothing to replace.
  26.  
  27.  
  28. From Profile Manager Logs
  29.  
  30. [8838] [2016/05/09 10:15:28.736] I: Completed in 111ms (View: 0, DB: 10) | 200 OK [https://odserver-1.ahc.uk.com/magic/do_magic]
  31. [12545] [2016/05/09 10:44:57.069] -[SULogFileCollection setGlobalLogLevelPrefix:]: YES
  32. 0:: [12545] [2016/05/09 10:44:57.087]
  33.     ############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
  34.     ruby-889.8 (PID:12545, OS:15C50, SERVER:15S4033, ARCH:x86_64) starting
  35.     LA: ruby replace /etc/certificates/*.ahc.uk.com.062E3FF1EDB22BF6987437D534C6BC573D518D62.cert.pem c3N1aQAAACCHGRyjD8kR1ISaAAUCtSEiAAAAAAAAAAAAAAAAAAAABmRibm0AAAAjL0xpYnJhcnkvS2V5Y2hhaW5zL1N5c3RlbS5rZXljaGFpbgBpdGVtAAAAZ4AAEAAAAAAEAQAAAAAAAEMwQTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR0FOREkgU1RBTkRBUkQgU1NMIENBAAAAED71sKZaKhPV/Dw2dsRKdKE= /etc/certificates/*.ahc.uk.com.144A774F81B217DB88BCEF254AFAA2843701EBD9.cert.pem c3N1aQAAACCHGRyjD8kR1ISaAAUCtSEiAAAAAAAAAAAAAAAAAAAABmRibm0AAAAjL0xpYnJhcnkvS2V5Y2hhaW5zL1N5c3RlbS5rZXljaGFpbgBpdGVtAAAAW4AAEAAAAAAEAQAAAAAAAEMwQTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR0FOREkgU1RBTkRBUkQgU1NMIENBAAAABDuyn+s=
  36.     Log verbosity level = 1
  37.     UID = 0, EUID = 0
  38.     ############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
  39. 0:: [12545] [2016/05/09 10:44:57.087] -[SULogFileCollection setGlobalLogLevelPrefix:]: NO
  40. (END)
  41.  
  42.  
  43.  
  44. New cert that breaks everything:-
  45.  
  46. epth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.ahc.uk.com
  47. verify error:num=20:unable to get local issuer certificate
  48. verify return:1
  49. depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.ahc.uk.com
  50. verify error:num=21:unable to verify the first certificate
  51. verify return:1
  52. ---
  53. Certificate chain
  54.  0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.ahc.uk.com
  55.    i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
  56.  1 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.ahc.uk.com
  57.    i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
  58. ---
  59. Server certificate
  60. -----BEGIN CERTIFICATE-----
  61. MIIE0jCCA7qgAwIBAgIDCP0pMA0GCSqGSIb3DQEBBQUAMEExCzAJBgNVBAYTAkZS
  62. MRIwEAYDVQQKEwlHQU5ESSBTQVMxHjAcBgNVBAMTFUdhbmRpIFN0YW5kYXJkIFNT
  63. TCBDQTAeFw0xNjA1MDkxMzQ3MTFaFw0xODA1MTExMzQ3MTBaMGAxITAfBgNVBAsT
  64. GERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEkMCIGA1UECxMbR2FuZGkgU3RhbmRh
  65. cmQgV2lsZGNhcmQgU1NMMRUwEwYDVQQDFAwqLmFoYy51ay5jb20wggEiMA0GCSqG
  66. SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA+Z18e+W6pT9VHdBt1JSqhudr54uCXa+K
  67. vBqBBnZ1rPSJboqHn882oXe+nqgwFRbDqlLaocLuERTZ4OJaauP+adKtlzdON3XJ
  68. R2c1MIOwF7Y8bwW384LmRYcnOxc1iAyd+DpiaLkQyjKRvkPiOReZlfp+pCuk9XU5
  69. NXzh3tRMeGaYh5HhhgkjcLui8+5xAFN6FevJfFrQCclXJa/+IXBYffS+d0viSc9L
  70. itDoz3tV2V+Vy/G8m+kJWEILkAhpentyrLCxHdkm99w09FiErYsDvuOjq18TGHI8
  71. H0P4Q7Msx5t9yYy53V30hnjnhRFCjIoBgzqbFTkH58CRv7sK1Gr1AgMBAAGjggGy
  72. MIIBrjAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNVHQ4EFgQU
  73. YWxJuAHPEzGeNcYL2YIpf1sd1eEwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
  74. MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAGA1UdIARZMFcwSwYL
  75. KwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5kaS5uZXQv
  76. Y29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEwPAYDVR0fBDUwMzAx
  77. oC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFuZGFyZFNTTENBLmNy
  78. bDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcnQuZ2FuZGku
  79. bmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6Ly9v
  80. Y3NwLmdhbmRpLm5ldDAjBgNVHREEHDAaggwqLmFoYy51ay5jb22CCmFoYy51ay5j
  81. b20wDQYJKoZIhvcNAQEFBQADggEBAANwJw16pOplm/K+3io0toUBZSAkEf5fdA9E
  82. eiiVvlw0/bFSaabHWMSleMnaO0VD6BUqJ9pjj6BHYaZ6+R39x9BJYZw3mdfbV2Jb
  83. /mAlQnYfcaTeDoJqV3eaCoi+TBedNR+ruQecB+9MUiAsixGo0XGCycrpLDZl2PJU
  84. NkGPQ+LwF73OeiNt6otfo+cCbd8omrquGZ/C7CCay93UrO8g8hyjw4gpC87xjh4l
  85. ceei9KMjNowy0pa+pVPirhAs4vc/6rRuJH+dv+GAR8U0uqJvG6J8tYuq4ctzjV0U
  86. lWqxlkDPJZPPaRQtiopbGZRP8pLNVNgfde3Kvtf0vfhnx80EAFM=
  87. -----END CERTIFICATE-----
  88. subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.ahc.uk.com
  89. issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
  90. ---
  91. No client certificate CA names sent
  92. Server Temp Key: DH, 2048 bits
  93. ---
  94. SSL handshake has read 3613 bytes and written 631 bytes
  95. ---
  96. New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
  97. Server public key is 2048 bit
  98. Secure Renegotiation IS supported
  99. Compression: NONE
  100. Expansion: NONE
  101. No ALPN negotiated
  102. SSL-Session:
  103.     Protocol  : TLSv1
  104.     Cipher    : DHE-RSA-AES256-SHA
  105.     Session-ID: 94989CC037DDB2A694347CCB8EC91E26411AAF3618EA1EECBFA3131C262A2EFA
  106.     Session-ID-ctx:
  107.     Master-Key: 96CE5776E6AA5FF39B5773BE00E054F90D6D444540907E12B90BF2E618CD8067A83FA87FD7EEB8F3D4D35EA56FA73A40
  108.     Key-Arg   : None
  109.     PSK identity: None
  110.     PSK identity hint: None
  111.     SRP username: None
  112.     TLS session ticket:
  113.     0000 - e3 a2 65 ce 6a 48 9f 2c-b9 3a b6 76 31 5b f7 a3   ..e.jH.,.:.v1[..
  114.     0010 - 78 e7 a6 9f ce e1 a8 9e-0b 2a 7f 6e 89 22 78 84   x........*.n."x.
  115.     0020 - 88 86 05 96 ff d1 74 39-68 34 1b 66 1f c3 64 0c   ......t9h4.f..d.
  116.     0030 - fc 63 a6 2a a1 1a 48 b5-b8 84 a5 28 86 e0 a2 ad   .c.*..H....(....
  117.     0040 - 63 73 6a ba ad e1 7a 90-86 44 5b 54 86 7c a1 9c   csj...z..D[T.|..
  118.     0050 - 9e 1b 08 1d b0 78 a7 77-b5 6f a9 5b 96 c8 3c 3d   .....x.w.o.[..<=
  119.     0060 - 5d ef f7 e8 29 a6 d7 63-7a ae 36 3a 40 01 26 a1   ]...)..cz.6:@.&.
  120.     0070 - 5b 6a 11 4b 63 f8 ba d4-d0 ef bb d8 dc 48 1d ec   [j.Kc........H..
  121.     0080 - 1b 08 7a f7 eb ab f1 42-81 a0 6f 22 8c 75 a5 ae   ..z....B..o".u..
  122.     0090 - 71 9e ea f4 e7 b7 88 02-9c 0c 8c c4 54 1f 1a b8   q...........T...
  123.     00a0 - 08 e7 6b fb 85 1e 61 d9-ec 6e a8 a4 bf 7f 26 d4   ..k...a..n....&.
  124.     00b0 - a5 fc f8 db a5 79 36 92-d4 c1 ab f6 ee c9 5d 70   .....y6.......]p
  125.  
  126.     Start Time: 1462801984
  127.     Timeout   : 300 (sec)
  128.     Verify return code: 21 (unable to verify the first certificate)
  129.    
  130. Here is what its SUPPOSED to look like.
  131.  
  132. depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
  133. verify return:1
  134. depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
  135. verify return:1
  136. depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.ahc.uk.com
  137. verify return:1
  138. ---
  139. Certificate chain
  140.  0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.ahc.uk.com
  141.    i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
  142.  1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
  143.    i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
  144. ---
  145. Server certificate
  146. -----BEGIN CERTIFICATE-----
  147. MIIE3zCCA8egAwIBAgIQPvWwploqE9X8PDZ2xEp0oTANBgkqhkiG9w0BAQUFADBB
  148. MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
  149. aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTQwNzE3MDAwMDAwWhcNMTYwNzE3MjM1OTU5
  150. WjBgMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT
  151. G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEVMBMGA1UEAxQMKi5haGMudWsu
  152. Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwPmdfHvluqU/VR3Q
  153. bdSUqobna+eLgl2virwagQZ2daz0iW6Kh5/PNqF3vp6oMBUWw6pS2qHC7hEU2eDi
  154. Wmrj/mnSrZc3Tjd1yUdnNTCDsBe2PG8Ft/OC5kWHJzsXNYgMnfg6Ymi5EMoykb5D
  155. 4jkXmZX6fqQrpPV1OTV84d7UTHhmmIeR4YYJI3C7ovPucQBTehXryXxa0AnJVyWv
  156. /iFwWH30vndL4knPS4rQ6M97VdlflcvxvJvpCVhCC5AIaXp7cqywsR3ZJvfcNPRY
  157. hK2LA77jo6tfExhyPB9D+EOzLMebfcmMud1d9IZ454URQoyKAYM6mxU5B+fAkb+7
  158. CtRq9QIDAQABo4IBsjCCAa4wHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQEDGn
  159. eSEwHQYDVR0OBBYEFGFsSbgBzxMxnjXGC9mCKX9bHdXhMA4GA1UdDwEB/wQEAwIF
  160. oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBg
  161. BgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6Ly93
  162. d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EMAQIB
  163. MDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRpU3Rh
  164. bmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChitodHRw
  165. Oi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsGAQUF
  166. BzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwIwYDVR0RBBwwGoIMKi5haGMudWsu
  167. Y29tggphaGMudWsuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQBXpvBvGyRHE9aDTGvu
  168. QCBGCPG3MKJmBA2z24mHKRBAvuZSSz+21wNjrS2LNmYqw4R1YewG6kdIJMt2e7L0
  169. Xbo53PjJyPZAYCx1CRighcmhgxuhe55LZfCy/Gn+S2gJvjf0tS6nvWKikHHzyJB3
  170. /Fy2cmpM9iNXE8f0F2xnXZBo99EH1PkSYwePMx1hkBdanHmjbdmyRfKU8+JFcta6
  171. NCpwXWH+KSDNf9aEnd7YXcH+iOi/W6hpyOCKr+ybKd4Lb7OBRow0GFmI3m7oSB1x
  172. dSZnDi5yyDPT8wDTDv6peQTBo9jiGKQISXNHGkwNBDeqnxc1Pb/OHGTyOMVHmvz5
  173. NdTQ
  174. -----END CERTIFICATE-----
  175. subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.ahc.uk.com
  176. issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
  177. ---
  178. No client certificate CA names sent
  179. Peer signing digest: SHA512
  180. Server Temp Key: ECDH, P-256, 256 bits
  181. ---
  182. SSL handshake has read 3104 bytes and written 431 bytes
  183. ---
  184. New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
  185. Server public key is 2048 bit
  186. Secure Renegotiation IS supported
  187. Compression: NONE
  188. Expansion: NONE
  189. No ALPN negotiated
  190. SSL-Session:
  191.     Protocol  : TLSv1.2
  192.     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
  193.     Session-ID: 047C77B16710B58172EC4A66380740B3E746632F20E74E7BD66D2F90DD01C372
  194.     Session-ID-ctx:
  195.     Master-Key: 90F55EC7FEA36B1AE637220B9F355B834144FFEE23629B883F47072A3F6E3AC47FFC0EA7DF9E8AE47386B6EABA6149DF
  196.     Key-Arg   : None
  197.     PSK identity: None
  198.     PSK identity hint: None
  199.     SRP username: None
  200.     TLS session ticket lifetime hint: 300 (seconds)
  201.     TLS session ticket:
  202.     0000 - b3 08 b4 41 ab a4 35 b5-15 c9 91 74 34 d7 46 92   ...A..5....t4.F.
  203.     0010 - 7a 2c b4 14 b1 25 e3 1d-85 5c e8 11 da e7 5b 3c   z,...%...\....[<
  204.     0020 - f3 49 f0 37 52 ec 84 9f-55 69 2f 60 fb 87 12 e2   .I.7R...Ui/`....
  205.     0030 - 28 6e 7a 32 97 e8 7c 11-b9 34 21 ef 8c 26 23 f1   (nz2..|..4!..&#.
  206.     0040 - 7c 45 38 75 07 73 ad 4e-a0 7d 88 dd 65 eb 2f 85   |E8u.s.N.}..e./.
  207.     0050 - 1d 3b c3 80 da 4d 1f 6e-d5 f9 7c 7a f6 17 f4 eb   .;...M.n..|z....
  208.     0060 - 98 f8 47 7a 62 ec 3a a8-e6 b0 b4 a5 6c 58 86 fd   ..Gzb.:.....lX..
  209.     0070 - 8c 08 9d 3c 7a 88 2b 34-50 a0 95 bd bf 5e 35 b2   ...<z.+4P....^5.
  210.     0080 - 71 07 a4 c0 47 34 55 1e-cf 26 ad df 18 5f 80 c8   q...G4U..&..._..
  211.     0090 - 75 e9 38 5a 40 cd c9 9a-19 3a f4 98 f4 62 81 7f   u.8Z@....:...b..
  212.  
  213.     Start Time: 1462802843
  214.     Timeout   : 300 (sec)
  215.     Verify return code: 0 (ok)
  216. ---
RAW Paste Data
Top