This is a bit of a weird one.
Every morning I get an email telling me one of my certificates is expired.
################# SSL Certificate Warning ################
Certificate for hostname '*.floodtrack.com', in file (or by nickname):
/etc/pki/tls/certs/wildcard.floodtrack.com.crt
The certificate needs to be renewed; this can be done
using the 'genkey' program.
Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)
Where this is coming from is a frustrating mystery.
Running certwatch from the command line generates no output and a status code indicating the cert is good or cannot be parsed (status code 1).
sudo /usr/bin/certwatch /etc/pki/tls/certs/wildcard.floodtrack.com.crt;echo $?
1
Running the wrapper script at /etc/cron.daily/certwatch by hand does not generate an email and openssl report the cert has not expired
openssl x509 -noout -text -startdate -enddate -in /etc/pki/tls/certs/wildcard.floodtrack.com.crt
notBefore=Sep 20 00:00:00 2020 GMT
notAfter=Oct 21 23:59:59 2021 GMT
Apache is picking up and using the correct cert.
Everything about the email looks legitimate but it is obviously wrong. Any ideas on why it is happening and how to fix it?
Possibly you are not investigating the same file as the utility that generates the mail.
This one expired, this one has not expired - a good explanation despite precisely matching file paths is: you have run your
openssl x509
on a different machine or container (or on a machine with time/date setup differently) than the utility that generated your mail.Most likely you can figure out who exactly sent you the mail by looking at the emails raw source, there is probably a more descriptive host name somewhere in the headers. Then, locate that machine and figure out why it has installed an older certificate.
Turns out a the two machines and at least one other were resurrected in VMWare. How, I do not know but it was those that were sending the anomalous messages. I shut them down which should stop the false alerts -- unless some nimrod turns them back on again...