A few months ago, I installed a self-signed SSL certificate on CentOS7.
I tried to surf on my website using the https protocol, but I had security warnings on both Chrome and Firefox.
I eventually uninstalled the ssl packages on my CentOS7 and asked for another SSL certificate on Let's Encrypt : https://rucheconnectee.mc.
It worked fine, but on my CentOS7, I also use MQTT and Node-RED to collect data : https://rucheconnectee.mc/?les-ruches-connectees. The iframe I use to embed the Node-RED charts or the HTML link I use to display them don't work anymore : https://80.94.97.61:1880/ui/#!/1?socket ... Uj-BmbAAEr.
Then I opened the console to display the certs folder :
Code: Select all
ls -l
total 28
-rw-r--r--. 1 root root 1419 20 oct. 17:09 apache-selfsigned.crt.old
lrwxrwxrwx. 1 root root 49 23 juin 11:25 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 23 juin 11:25 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root root 1302 15 juil. 12:09 ca.crt
-rw-r--r--. 1 root root 424 13 juil. 16:51 dhparam.pem
-rw-------. 1 root root 1537 20 oct. 17:10 localhost.crt.old
-rwxr-xr-x. 1 root root 610 28 mars 2022 make-dummy-cert
-rw-r--r--. 1 root root 2516 28 mars 2022 Makefile
-rwxr-xr-x. 1 root root 829 28 mars 2022 renew-dummy-cert
In order to list the SSL certicates, I pasted the following command:
Code: Select all
openssl s_client -showcerts -connect 80.94.97.61:443
Code: Select all
CONNECTED(00000003)
depth=0 C = MC, ST = MONACO, L = Monaco, O = DENJS, OU = DENJS, CN = rucheconnectee.mc, emailAddress = fnguyen@gouv.mc
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MC, ST = MONACO, L = Monaco, O = DENJS, OU = DENJS, CN = rucheconnectee.mc, emailAddress = fnguyen@gouv.mc
verify return:1
---
Certificate chain
0 s:/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
i:/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
---
Server certificate
subject=/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
issuer=/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1611 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXX
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXx
XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX
Start Time: 1666278785
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed
Code: Select all
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/ca.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
So, does my webserver use the right SSL certificate or the first one that I had self-signed?
Thanks for your help !