Expired SSL Certificate still showing up on security scans

Question

When I run a security scan, it tells me I have a vulnerability. I "!" before the certificate name in the /etc/ca-certificates.conf, saved and ran update-ca-certificates -f and restarted the apache server. Is there anything I am missing that I need to do to remove this expired certificate?

Security Scan Results Screenshot

apache http server linux security ssl ubuntu

garethTheRed · Accepted Answer

Your Apache service is presenting an expired certificate in the chain to clients.  Specifically, this one which expired in May.  As the linked page says, there is a replacement available which is valid until 2028.
Apache's configuration file points to a file containing the chain of certificates which it presents to the clients.  This is configured with the SSLCertificateFile directive.
In your Ubuntu installation, the Apache config file config file containing this directive is somewhere within /etc/apache2. Where exactly depends on which instructions you used to configure TLS.  You need to find the config file and then the file pointed to by the above directive.  It is this latter file which contains your certificate chain.
The file contains multiple certificates, each delineated with ----- BEGIN CERTIFICATE ---- and ----- END CERTIFICATE -----.  You need to re-create this file (back it up first!) with your server certificate first, followed by the replacement certificate. Once you've done that, restart Apache and you should stop getting the error.

Expired SSL Certificate still showing up on security scans

One Answer

Add your own answers!

Ask a Question