Hello,
Several days ago, suddenly my app deploys started to fail and additionally all my deployed apps stopped working (empty UI content in the QRadar console).
In the docker logs (
journalctl -u docker.service) I noticed errors like those:
May 11 03:56:05 localhost dockerd[14791]: http: TLS handshake error from 10.126.6.203:44148: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid
May 11 03:56:08 localhost dockerd[14791]: http: TLS handshake error from 10.126.6.203:44174: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid
May 11 03:56:15 localhost dockerd[14791]: http: TLS handshake error from 10.126.6.203:44274: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid
May 11 03:56:25 localhost dockerd[14791]: http: TLS handshake error from 10.126.6.203:44398: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid
I decided to check the QRadar-related certificates on my system, by running the following command:
for i in $(find /etc/conman/tls /etc/traefik/tls /etc/docker/tls /etc/vault-qrd/tls /etc/httpd/conf/certs /etc/pki/ca-trust/source/anchors -type f \( -name "*.cert" -o -name "*.pem" -o -name "*.crt" \));do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
The output is as follows:
/etc/conman/tls/conman.cert
/etc/conman/tls/conman.cert: OK
/etc/conman/tls/conman_ca.crt
/etc/conman/tls/conman_ca.crt: OK
/etc/traefik/tls/traefik.cert
/etc/traefik/tls/traefik.cert: OK
/etc/traefik/tls/docker/traefik-client-docker.cert
/etc/traefik/tls/docker/traefik-client-docker.cert: CN = localhost
error 10 at 0 depth lookup:certificate has expired
OK
/etc/traefik/tls/docker/si-docker_ca.crt
/etc/traefik/tls/docker/si-docker_ca.crt: OK
/etc/traefik/tls/traefik_ca.crt
/etc/traefik/tls/traefik_ca.crt: OK
/etc/docker/tls/si-docker.cert
/etc/docker/tls/si-docker.cert: OK
/etc/docker/tls/registry/docker-client-registry.cert
/etc/docker/tls/registry/docker-client-registry.cert: CN = localhost
error 10 at 0 depth lookup:certificate has expired
OK
/etc/docker/tls/registry/si-registry_ca.crt
/etc/docker/tls/registry/si-registry_ca.crt: OK
/etc/docker/tls/si-docker_ca.crt
/etc/docker/tls/si-docker_ca.crt: OK
/etc/vault-qrd/tls/vault-qrd.cert
/etc/vault-qrd/tls/vault-qrd.cert: CN = localhost
error 18 at 0 depth lookup:self signed certificate
OK
/etc/httpd/conf/certs/cert.cert
/etc/httpd/conf/certs/cert.cert: OK
/etc/pki/ca-trust/source/anchors/vault-qrd_ca.pem
/etc/pki/ca-trust/source/anchors/vault-qrd_ca.pem: OK
/etc/pki/ca-trust/source/anchors/vault-qrd_ca_int.pem
/etc/pki/ca-trust/source/anchors/vault-qrd_ca_int.pem: OK
/etc/pki/ca-trust/source/anchors/conman_ca.crt
/etc/pki/ca-trust/source/anchors/conman_ca.crt: OK
/etc/pki/ca-trust/source/anchors/QRadarSAML_ca.crt
/etc/pki/ca-trust/source/anchors/QRadarSAML_ca.crt: OK
/etc/pki/ca-trust/source/anchors/si-docker_ca.crt
/etc/pki/ca-trust/source/anchors/si-docker_ca.crt: OK
/etc/pki/ca-trust/source/anchors/si-registry_ca.crt
/etc/pki/ca-trust/source/anchors/si-registry_ca.crt: OK
/etc/pki/ca-trust/source/anchors/traefik_ca.crt
/etc/pki/ca-trust/source/anchors/traefik_ca.crt: OK
So it looks like two of the certificates - docker-client-registry.cert and traefik-client-docker.cert have expired. Additionaly vault-qrd certificate is self-signed (but this apparently is not an issue - the vault-qrd service starts and runs fine).
I decided to confirm the certificates in question have indeed expired several days ago:
openssl x509 -text -in /etc/docker/tls/registry/docker-client-registry.cert |grep -i "not"
Not Before: Feb 3 15:04:04 2021 GMT
Not After : May 4 15:04:04 2021 GMT
My question is - is there an easy way to renew the certificates in question?
Best Regards,
Milen Rangelov
------------------------------
Milen Rangelov
------------------------------