"Dead" certificates warnings !!!

chudak

Hello all

After upgrading to 2.5.0 I started seeing warnings like this:

Certificate Manager
The following CA/Certificate entries are expiring:
Certificate Authority: Acmecert: O=Let's Encrypt, CN=Let's Encrypt Authority X3, C=US (5c40faedc89d0): Expiring soon, in 20 days
Certificate: XYZ1 (5c52668400b69): Expired 127 days ago
Certificate: XYZ2 (5f4693a1c361a): Expired 92 days ago @ 2021-02-25 03:01:00

The problem is that both certificates for servers XYZ1 and
XYZ2 were removed a long time ago!

I guess this is stuck somewhere in my config.
Any ideas where and how to clean this up?

Thx

viktor_g

@chudak Could you check for these certificates in /cf/conf/config.xml?

chudak

@viktor_g said in "Dead" certificates warnings !!!:

@chudak Could you check for these certificates in /cf/conf/config.xml?

Yes I see them there.
As:

<dyndns>
<type>custom</type>
<username><![CDATA[admin]]></username>
<password><![CDATA[TGlzYTMxMDExOA==]]></password>
<host></host>
<domainname></domainname>
<mx></mx>
<interface>wan</interface>
<zoneid></zoneid>
<ttl></ttl>
<updateurl>http://api.dynu.com/nic/update?hostname=XYZ&pas
sword=lisa12</updateurl>
<resultmatch>good|nochg|good %IP%r</resultmatch>
<requestif>wan</requestif>
<descr><![CDATA[XYZ DNS]]></descr>
<id>6</id>
</dyndns>

Can entire section be removed ?
Odd that it's never happened before 2.5.0, why ?

Thx

chudak

@chudak

Also in

<cert>
	<refid>5f4693a1c361a</refid>
	<descr><![CDATA[XYZ]]></descr>
..........	
</cert>

That's the one I need to remover I guess?

@viktor_g I think the real question is why they are stuck in /cf/conf/config.xml and not shown in GUI?

jimp

Just remove the entries from the CA and Certificate tabs of the certificate manager (not ACME).

The X3 CA is old and isn't needed by anything current. If it shows as in use, then any cert that is signed by it needs to also be removed since there is no way they are valid.

If you do need the certs, fix them in ACME so they get renewed properly and then they should show as being signed by the Let's Encrypt R3 CA or similar, and the old entries can be removed from the cert manager.

Certificate manager entries aren't going to be automatically cleaned up since we can't predict whether the administrator is still using them on purpose.

chudak

@jimp

Removed two offending from the Certificate tabs of the certificate manager, hope will see no warnings tomorrow.

Thx

Gertjan

As discussed here a month ago : Let's Encrypt Certificate Authority Expiring soon : do what has been suggested over there.

We have 2.5.0 now, the GUI warns us.
Still, up to use to use the buttons :