Question

7

How do I revoke the default snakeoil certificate?

rated 0 times [ 7] [ 0] / answers: 1 / hits: 7788 / 3 Years ago, wed, july 21, 2021, 4:06:24

Windows XP keeps using the snakeoil certificate that Ubuntu shipped with, despite the fact that it has never been used in any virtual host ever.

The certificate is located at

/etc/ssl/certs/ssl-cert-snakeoil.pem

I'm not sure where the key is. The only one I see that seems plausible is at

/etc/ssl/private/ssl-cert-snakeoil.key

I think the CA certificat is at

/etc/ssl/certs/ca-certificates.crt

but I'm just not sure.

So far I've tried various openssl commands, such as

openssl ca -keyfile /etc/ssl/private/ssl-cert-snakeoil.key 

    -revoke /etc/ssl/certs/ssl-cert-snakeoil.pem 

    -cert /etc/ssl/certs/ca-certificates.crt

The output from that one was

Using configuration from /usr/lib/ssl/openssl.cnf

CA certificate and CA private key do not match

14805:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:406:

I'm all out of ideas. Any help is greatly appreciated.

EDIT

Here is what happened:

I bought a certificate from GeoTrust, installed it, activated the new virtualhost using that certificate, and restarted apache2. At no point in the lifetime of this server has any other certificate ever been used to secure web traffic, let alone the snakeoil certificate. Windows Vista and up, as well as OSX and all Linux distributions that I've tested use the correct certificate. Windows XP uses the snakeoil certificate (in IE. No other browsers on that VM). Here are some screenshots:

The correct certificate loaded in Chrome

The incorrect certificate loaded in IE 8 on Windows XP

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

oraoming

Add To Favorites

Follow

Total Points: 354

Total Questions: 105

Total Answers: 124

Location: Iraq

Member since Sat, Apr 3, 2021

3 Years ago

oraoming questions

1 Can't get Parsec to run on Ubuntu 22.04, missing libcrypto

Fri, Aug 20, 21, 10:08, 3 Years ago

1 How to print the ■ character in linux terminal using C?

Mon, May 24, 21, 21:56, 3 Years ago

1 How to print specific words from a file

Mon, Dec 12, 22, 23:21, 1 Year ago

1 Place "Power Off" as last option in the system menu?

Mon, Sep 12, 22, 11:38, 2 Years ago

1 Python.h file not found on Ubuntu 20.04 even after installing python-dev

Sat, Sep 10, 22, 14:12, 2 Years ago

View All

answered 3 Years ago ndaavi · Accepted Answer

Given the extra information you've provided, it is probably easier for me to start another answer.

It doesn't appear that the dummy "snakeoil" certificate is being presented to the Windows client. The "snakeoil" certificate is generated with a subject of CN=Ubuntu, while the certificate being presented to the Windows box has a subject of CN=Production. So we're looking at a third certificate here.

I can see the same certificate if I connect to your server with OpenSSL's s_client:

$ openssl s_client -connect portal.avendimedia.com:443

...

Certificate chain

 0 s:/CN=Production

   i:/CN=Production

...

What I believe is happening is that you've configured your web server to use the Server Name Indication extension. This extension is designed to let a server present different certificates depending on which host name the client wants to connect to.

This works fine in most modern browsers, but does not work in Internet Explorer on Windows versions prior to Vista. At this point, it seems highly unlikely that Microsoft will update the SSL libraries on Windows XP to support the SNI extension.

If you need your site to work with Internet Explorer on XP, see if you can remove the references to this other SSL host running on the same IP address from your Apache configuration.