Geek Answers Handbook

The certificate confirming the validity of the license has expired when it does not have

I had a problem with curl and openssl message about a client certificate that has expired, although it will not be in the future.

 # echo | openssl s_client -showcerts -connect example.com:443 2>&1 | grep Verify Verify return code: 10 (certificate has expired)

But

 # echo | openssl s_client -showcerts -connect example.com:443 2>&1 | openssl x509 -noout -dates notBefore=Oct 17 00:00:00 2011 GMT notAfter=Oct 21 12:00:00 2014 GMT

The system date is correct. Firefox also does not show any errors for this site certificate. The Openssl options I've tried are OpenSSL 1.0.1e-fips 11 Feb 2013 and OpenSSL 1.0.1f 6 Jan 2014 . I found a similar problem here , where the author claims that the problem is absent in openssl 0.9.8, but present in version 1.0.1.

Why is this happening?

+7
certificate openssl
source share
1 answer

My problem was that the certificate really ended, but not this particular one, but one in the signature chain.

For example, for google, this command is openssl s_client -showcerts -connect google.com:443 </dev/null | openssl x509 -noout -dates openssl s_client -showcerts -connect google.com:443 </dev/null | openssl x509 -noout -dates shows:

 notBefore=Oct 6 12:37:54 2016 GMT notAfter=Dec 29 12:28:00 2016 GMT

However, only openssl s_client -showcerts -connect google.com:443 </dev/null does not show 1, but 3 certificates (enclosed in the part ---BEGIN/END CERTIFICATE--- ), the first one is google, and it actually checked. To verify this, I copied (probably there should be a less manual way), the first with /tmp/google and the last on /tmp/geotrust , now running openssl x509 -noout -dates < /tmp/google gives me:

 notBefore=Oct 6 12:37:54 2016 GMT notAfter=Dec 29 12:28:00 2016 GMT

which corresponds to the first output of the command, and openssl x509 -noout -dates < /tmp/geotrust :

 notBefore=May 21 04:00:00 2002 GMT notAfter=Aug 21 04:00:00 2018 GMT

This is different and has not been shown before. Therefore, in the end, my problem was that for one of the certificates of the highest authority really outdated.

And BTW, as a comment on the question, suggests updating the OS to fix this problem - I believe the reason is the same. The OS comes with a bunch of root certificates, so if you have a crazy old OS, some of them may expire, you can either update these root certificates or the entire OS to fix this problem.

It is also useful to know that running without showcerts gives you a great view of the certificate chain - openssl s_client -connect google.com:443 </dev/null :

 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority ---

All of them should not be expired.

+2
source share

More articles:


All Articles