Updated SSL cert expiration date not refreshing
list Tech Support
I recently renewed some SSL certs for our
domain. Xymon was testing the https addresses and was correctly
showing the ciphers and expiration date. But after I renewed and
applied the certs to our servers Xymon still shows the old
expiration date on one of our IIS servers, not the new date. The
issue is only appearing when Xymon tests our IIS server, not a
different Linux server which shows the correct updated date. The
SSL certs were applied correctly to the IIS server and all
browsers and external tests show accurate dates, but not Xymon.
Any idea why this would occur? IIS server is running IIS 8.5
Thanks.
Kris Springer
Thanks.
Kris Springer
list Scot Kreienkamp
What does it say for dates if you examine the cert with curl –v on the command line? Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: XXX-XXX-XXXX | | Mobile: XXXXXXXXXX | Email: user-9678697f1438@xymon.invalid
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Tech Support
Sent: Friday, December 9, 2016 10:12 AM
To: Xymon MailingList
Subject: [Xymon] Updated SSL cert expiration date not refreshing
I recently renewed some SSL certs for our domain. Xymon was testing the https addresses and was correctly showing the ciphers and expiration date. But after I renewed and applied the certs to our servers Xymon still shows the old expiration date on one of our IIS servers, not the new date. The issue is only appearing when Xymon tests our IIS server, not a different Linux server which shows the correct updated date. The SSL certs were applied correctly to the IIS server and all browsers and external tests show accurate dates, but not Xymon. Any idea why this would occur? IIS server is running IIS 8.5
Thanks.
Kris Springer
This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.
list Tech Support
The curl command shows the date accurately. Thank you. Kris Springer Signature - Support
▸
On 12/9/2016 7:38 AM, Scot Kreienkamp wrote:What does it say for dates if you examine the cert with curl –v on the command line? *Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate* One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: XXX-XXX-XXXX | | Mobile: XXXXXXXXXX | Email: user-9678697f1438@xymon.invalid
*From:*Xymon [mailto:xymon-bounces at xymon.com] *On Behalf Of *Tech Support
▸
*Sent:* Friday, December 9, 2016 10:12 AM
*To:* Xymon MailingList
*Subject:* [Xymon] Updated SSL cert expiration date not refreshing
I recently renewed some SSL certs for our domain. Xymon was testing the https addresses and was correctly showing the ciphers and expiration date. But after I renewed and applied the certs to our servers Xymon still shows the old expiration date on one of our IIS servers, not the new date. The issue is only appearing when Xymon tests our IIS server, not a different Linux server which shows the correct updated date. The SSL certs were applied correctly to the IIS server and all browsers and external tests show accurate dates, but not Xymon. Any idea why this would occur? IIS server is running IIS 8.5
Thanks.
Kris Springer
list Japheth Cleaver
Was the curl test done from the same Linux server as xymon or a different ont? Xymon's network tester (xymonnet) is completely re-executed for each run, so there's not very much that can be cached on the polling system that could cause it to return an older set. Is the test timestamp up to date on the actual test in question? Also: Which version of xymon are you running, and is the site using SNI by any chance? -jc
▸
On 12/9/2016 8:28 AM, Tech Support wrote:The curl command shows the date accurately. Thank you. Kris Springer Signature - Support On 12/9/2016 7:38 AM, Scot Kreienkamp wrote:What does it say for dates if you examine the cert with curl –v on the command line? *Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate* One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: XXX-XXX-XXXX | | Mobile: XXXXXXXXXX | Email: user-9678697f1438@xymon.invalid *From:*Xymon [mailto:xymon-bounces at xymon.com] *On Behalf Of *Tech Support *Sent:* Friday, December 9, 2016 10:12 AM *To:* Xymon MailingList *Subject:* [Xymon] Updated SSL cert expiration date not refreshing I recently renewed some SSL certs for our domain. Xymon was testing the https addresses and was correctly showing the ciphers and expiration date. But after I renewed and applied the certs to our servers Xymon still shows the old expiration date on one of our IIS servers, not the new date. The issue is only appearing when Xymon tests our IIS server, not a different Linux server which shows the correct updated date. The SSL certs were applied correctly to the IIS server and all browsers and external tests show accurate dates, but not Xymon. Any idea why this would occur? IIS server is running IIS 8.5 Thanks. Kris Springer
list Tech Support
Yes, curl test is from Xymon server. Yes, timestamp of Xymon test is current. Xymon version 4.3.25 Ubuntu 16.04 Regarding SNI, the site in question is IIS, not Apache. The cert is a wildcard for our domain so it shows as *.domainname.com
▸
Thank you.
Kris Springer
Signature - Support
On 12/9/2016 8:49 AM, Japheth Cleaver wrote:Was the curl test done from the same Linux server as xymon or a different ont? Xymon's network tester (xymonnet) is completely re-executed for each run, so there's not very much that can be cached on the polling system that could cause it to return an older set. Is the test timestamp up to date on the actual test in question? Also: Which version of xymon are you running, and is the site using SNI by any chance? -jc On 12/9/2016 8:28 AM, Tech Support wrote:The curl command shows the date accurately. Thank you. Kris Springer Signature - Support On 12/9/2016 7:38 AM, Scot Kreienkamp wrote:What does it say for dates if you examine the cert with curl –v on the command line? *Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate* One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: XXX-XXX-XXXX | | Mobile: XXXXXXXXXX | Email: user-9678697f1438@xymon.invalid *From:*Xymon [mailto:xymon-bounces at xymon.com] *On Behalf Of *Tech Support *Sent:* Friday, December 9, 2016 10:12 AM *To:* Xymon MailingList *Subject:* [Xymon] Updated SSL cert expiration date not refreshing I recently renewed some SSL certs for our domain. Xymon was testing the https addresses and was correctly showing the ciphers and expiration date. But after I renewed and applied the certs to our servers Xymon still shows the old expiration date on one of our IIS servers, not the new date. The issue is only appearing when Xymon tests our IIS server, not a different Linux server which shows the correct updated date. The SSL certs were applied correctly to the IIS server and all browsers and external tests show accurate dates, but not Xymon. Any idea why this would occur? IIS server is running IIS 8.5 Thanks. Kris Springer
list Phil Crooker
The old certificate is probably still enabled for a service somewhere - we had a similar issue where the old certificate was in fact enabled for a service but this was only evident after a reboot. Why don't you just remove it from the windows system?
▸
From: Xymon <xymon-bounces at xymon.com> on behalf of Tech Support <user-800263fcb636@xymon.invalid>
Sent: Saturday, 10 December 2016 3:45 AM
To: Japheth Cleaver; Scot Kreienkamp; Xymon MailingList
Subject: Re: [Xymon] Updated SSL cert expiration date not refreshing
Yes, curl test is from Xymon server.
Yes, timestamp of Xymon test is current.
Xymon version 4.3.25
Ubuntu 16.04
Regarding SNI, the site in question is IIS, not Apache. The cert is a
wildcard for our domain so it shows as *.domainname.com
Thank you.
Kris Springer
Signature - Support
On 12/9/2016 8:49 AM, Japheth Cleaver wrote:Was the curl test done from the same Linux server as xymon or a different ont? Xymon's network tester (xymonnet) is completely re-executed for each run, so there's not very much that can be cached on the polling system that could cause it to return an older set. Is the test timestamp up to date on the actual test in question? Also: Which version of xymon are you running, and is the site using SNI by any chance? -jc On 12/9/2016 8:28 AM, Tech Support wrote:The curl command shows the date accurately. Thank you. Kris Springer Signature - Support On 12/9/2016 7:38 AM, Scot Kreienkamp wrote:What does it say for dates if you examine the cert with curl –v on the command line? *Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate* One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: XXX-XXX-XXXX | | Mobile: XXXXXXXXXX | Email: user-9678697f1438@xymon.invalid *From:*Xymon [mailto:xymon-bounces at xymon.com] *On Behalf Of *Tech Support *Sent:* Friday, December 9, 2016 10:12 AM *To:* Xymon MailingList *Subject:* [Xymon] Updated SSL cert expiration date not refreshing I recently renewed some SSL certs for our domain. Xymon was testing the https addresses and was correctly showing the ciphers and expiration date. But after I renewed and applied the certs to our servers Xymon still shows the old expiration date on one of our IIS servers, not the new date. The issue is only appearing when Xymon tests our IIS server, not a different Linux server which shows the correct updated date. The SSL certs were applied correctly to the IIS server and all browsers and external tests show accurate dates, but not Xymon. Any idea why this would occur? IIS server is running IIS 8.5 Thanks. Kris Springer
list Tech Support
RESOLVED: For closure to this issue, here's what resolved it. I
manually deleted the old cert from the server and rebooted. This
particular server also functions as a Remote Desktop Management
server, which start throwing cert warnings to RD users after I
deleted the old cert. I looked in the 'RD Gateway Manager' and sure
enough, the new cert was not applied. So I applied the new cert and
immediately Xymon's HTTPS tests went green. I'm confused as to why
this RD Gateway cert would have anything to do with IIS tests
failing for Xymon because as I've said in previous posts all
browsers recognized the new cert in IIS just fine. Only Xymon tests
had an issue.
Final comments: It's a good thing that the Xymon tests were flagging that something was wrong, because it forced me to dig deeper into our server to resolve an unseen issue. Thank you Xymon community for supplying ideas for me to look into.
Thank you.
Kris Springer
Final comments: It's a good thing that the Xymon tests were flagging that something was wrong, because it forced me to dig deeper into our server to resolve an unseen issue. Thank you Xymon community for supplying ideas for me to look into.
Thank you.
Kris Springer
▸
On 12/11/2016 3:03 PM, Phil Crooker wrote:The old certificate is probably still enabled for a service somewhere - we had a similar issue where the old certificate was in fact enabled for a service but this was only evident after a reboot. Why don't you just remove it from the windows system? ________________________________________ From: Xymon on behalf of Tech Support Sent: Saturday, 10 December 2016 3:45 AM To: Japheth Cleaver; Scot Kreienkamp; Xymon MailingList Subject: Re: [Xymon] Updated SSL cert expiration date not refreshing Yes, curl test is from Xymon server. Yes, timestamp of Xymon test is current. Xymon version 4.3.25 Ubuntu 16.04 Regarding SNI, the site in question is IIS, not Apache. The cert is a wildcard for our domain so it shows as *.domainname.com Thank you. ------------------------------------------------ Kris Springer Signature - Support On 12/9/2016 8:49 AM, Japheth Cleaver wrote:Was the curl test done from the same Linux server as xymon or a different ont? Xymon's network tester (xymonnet) is completely re-executed for each run, so there's not very much that can be cached on the polling system that could cause it to return an older set. Is the test timestamp up to date on the actual test in question? Also: Which version of xymon are you running, and is the site using SNI by any chance? -jc On 12/9/2016 8:28 AM, Tech Support wrote:The curl command shows the date accurately. Thank you. ------------------------------------------------ Kris Springer Signature - Support On 12/9/2016 7:38 AM, Scot Kreienkamp wrote:What does it say for dates if you examine the cert with curl –v on the command line? *Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate* One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: XXX-XXX-XXXX | | Mobile: XXXXXXXXXX | Email: user-9678697f1438@xymon.invalid
*From:*Xymon [mailto:xymon-bounces@xymon.com] *On Behalf Of *Tech
▸
Support *Sent:* Friday, December 9, 2016 10:12 AM *To:* Xymon MailingList *Subject:* [Xymon] Updated SSL cert expiration date not refreshing I recently renewed some SSL certs for our domain. Xymon was testing the https addresses and was correctly showing the ciphers and expiration date. But after I renewed and applied the certs to our servers Xymon still shows the old expiration date on one of our IIS servers, not the new date. The issue is only appearing when Xymon tests our IIS server, not a different Linux server which shows the correct updated date. The SSL certs were applied correctly to the IIS server and all browsers and external tests show accurate dates, but not Xymon. Any idea why this would occur? IIS server is running IIS 8.5 Thanks. Kris Springer
Xymon@xymon.comXymon@xymon.com