I have a valid certificate but server throws an error saying it's expired

rocha7778 · April 12, 2023, 4:27pm

Good morning family I have a doubt about the following case:

I have a certificate mounted in a cowboy server ({:plug_cowboy, “~> 2.0”}), the certificate is still valid ( will be expired in two months), but the server throws an error saying :

[notice] [2023-04-12] [16:03:09.853] TLS :server: In state :certify at ssl_handshake.erl:2015 generated SERVER ALERT: Fatal - Certificate Expired

Maybe this has happened to someone before, I have been looking on the internet about the error, but I have not found anything useful yet.

any suggestion?

JeyHey · April 12, 2023, 4:43pm

Maybe you copied the certificate into your priv directory but forgot to also copy it into your _build directory.
Or your test machine has the wrong time.

rocha7778 · April 12, 2023, 4:47pm

Thank you very much, the time machine is correct, but I am not sure about the priv directory. let me check it.

voltone · April 12, 2023, 6:46pm

A server does not verify the expiry of its own certificate during the handshake, it must be checking the client’s certificate. Did you enable peer certificate verification on the server, and are you connecting with a client that has a client certificate? In that case please check the validity of the client’s certificate.

rocha7778 · April 12, 2023, 7:14pm

{Plug.Cowboy,
         scheme: :https,
         plug: plug,
         options: [
           port: AppConfig.get_port(),
           cipher_suite: :strong,
           password: passphrase,
           certfile:"/app/rel/elixir_pryect/priv/certs/certificate_file.corp.cert",
           keyfile: "/app/rel/elixir_pryect/priv/certs/ privatekey1.key",
           verify: :verify_peer,
           fail_if_no_peer_cert: true,
           cacertfile: castore_path
         ]}

this is my plug configuration, verify: :verify_peer is enabled. I realized that the server time is ahead by 5 hours. but the date is ok.

are you connecting with a client that has a client certificate?

yes of course I provided the public certificate and the expired date is in 5/26/2023

as is shown in the following image:

certificado

rocha7778 · April 12, 2023, 7:19pm

I realized that the private_key and the cert_file are written in runtime.

the relative path “/app/rel/elixir_pryect/priv/certs/ privatekey1.key” are created in runtime.
Maybe could be that?

using this code:

 def write_secret_key_to_file(secret_path, key, destination_path, content_of_private_key) do
        File.mkdir_p(Path.dirname(destination_path)),
        File.write(destination_path, to_string(content_of_private_key)) do
        Logger.debug("secret key #{key} written successfully")
  end
  
  
  destination_path =  "/app/rel/elixir_pryect/priv/certs/ privatekey1.key" 
  content_of_private_key = "-----BEGIN CERTIFICATE-----
                            ...
                            -----END CERTIFICATE-----"

is possible that in runtime a file cannot be created?

rocha7778 · April 13, 2023, 2:16am

In the end, I tested the production certificate file in the test environment and it showed that the certificate file really was expired.

So thank you for your suggestions, they were very helpful to me.

rocha7778 · April 18, 2023, 2:10pm

Hi, Family I have updated the certificate but I have the same issue.

I do not know what else to do.