How to prevent ‘Certificate for FILE “(CN: domain.com)” has expired!’ errors in your server
Earlier, only businesses that dealt with confidential information such as credit card or online transactions, were bothered about their website security.
But with most advanced browsers now making HTTPS mandatory, and even Google considering it as a parameter for website ranking, every website is now getting an SSL certificate.
To enable HTTPS support for your websites and server, you need to install SSL certificate for them. When installed on a web server, SSL allows to initiate secure connections with the browser.
SSL certificate – The hassles involved, and how we tackle those
An SSL certificate generation process involves:
- Producing strong public and private keys that decrypt the messages between web server and browser.
- Getting a CA (certificate authority) file from an organisation that validates the integrity of your SSL.
- Creating a certificate signing request (CSR) with the details of the website that requires SSL.
SSL certificates purchased from certificate authorities usually comes with a cost – in packages such as monthly, annual, etc, which is why many website owners opt for self-signed certificates. But they don’t offer fool-proof security.
However, with the emergence of Let’s Encrypt, a certificate authority that provides free SSL certificates for encryption, this cost factor is no longer a concern.
At Bobcares, we help server owners to install and setup Let’s Encrypt in their web servers – Apache, NginX, IIS or any other software – and configure the free SSL for their websites.
Many server owners go into a relaxed mode once SSL is enabled for the web server, thinking that the data is secure. But that may not be the case always.
Configuration errors, outdated SSL protocols, weak ciphers, SSL vulnerabilities, etc. can break this secure communication and make the server prone to hacks.
By performing periodic server audits, keeping abreast with security vulnerabilities, performing prompt security updates and patching, Bobcares engineers keep our customers’ servers safe and secure.
Every SSL certificate is valid for only a limited time period. Let’s Encrypt certificates are valid for only 90 days, inorder to limit damage from key compromise and mis-issuance.
Also, different websites in your server may have different expiry dates for their SSL certificates. As a result, renewing the SSL certificates on time for all sites is a hassle for many server owners.
Bobcares engineers handle such SSL management issues by configuring ‘SSL check’ tools in the servers to review the certificate validity for all domains and renew them before they get expired.
What causes ‘Certificate for FILE “(CN: domain.com)” has expired!’ errors in server?
Every SSL certificate has an expiry date associated with it. It could vary from days to months. When you install a certificate, you need to be aware of its validity too.
An expired SSL certificate can break the encryption, disrupt the website functioning or throw away visitors from your site. So, renewing the SSL certificate before it expires, is vital for a web site.
But, what if you do not renew this SSL on time? That is when you start getting alert mails from the server with the subject ‘Certificate for FILE “(CN: domain.com)” has expired!’
Some services and sites can run only with SSL. A website or a service running on an expired SSL can cease to function and lead to loss of business and downtime for customers.
How to fix ‘Certificate for FILE “(CN: domain.com)” has expired!’ alerts in server?
The immediate action to be taken when you get an email with the subject ‘Certificate for FILE “(CN: domain.com)” has expired!’, is to verify that the SSL file for that domain has expired.
If the SSL is expired, you need to promptly renew and update the SSL to ensure that the site functions fine and that the downtime is minimized.
However, in certain scenarios, we have noticed that even if the website shows updated SSL, the ssl checker still sends notification mails saying that the certificate has expired.
This can happen in scenarios where there are any old SSL files present in the SSL folder in the server, or due to other configuration issues, which we identify and resolve to fix these alerts.
How we prevent ‘Certificate for FILE “(CN: domain.com)” has expired!’ errors in server
At Bobcares, when we configure Let’s Encrypt SSL in servers, we configure alert messages to notify that the SSL is going to expire, a few days before the expiry date itself.
Depending on the web server and the control panel in the server, we configure the location for the SSL files in the SSL ‘check and notify’ script.
This tool checks the validity of each SSL certificate in the server, its expiry date and the number of days left for the SSL to expire.
Host Status Expires Days ----------------------------------------------- ------------ FILE:/etc/haproxy/ssl/example1.org.pem Valid Jan 6 2017 78 FILE:/etc/haproxy/ssl/example2.org.pem Valid Jan 1 2017 73 FILE:/etc/haproxy/ssl/example3.org.pem Valid Jan 6 2017 78
When a domain listed in the script is about to expire in say, the next 15 days, it will send a notification to the admin email we have configured, and we take proper steps to renew the SSL.
Our engineers take actions to renew the SSL on time, without letting them expire and affect the website security. This will help us to ensure that no sites or services are down because of SSL issues.
‘Certificate for FILE “(CN: domain.com)” has expired!’ is an alert that is generated when the SSL certificate for a domain is expired. Monitoring the SSL validity and on-time renewal is vital to avoid a downtime. Today we’ve seen how we perform SSL management in our customers’ servers to ensure smooth functioning of websites and services.