Article ID: kb00300Last Modified: 12-Jan-2025

SSL Certificate Issue Detected (code 1007)

Situation

A backup or restore plan failed on the start with the SSL Certificate Issue Detected error message:

SSL certificate issue is detected on the host... (Code: 1007)...

Cause

This error occurs when any of the following SSL certificate issues is detected on the specified host:

  • Expired Certificate: The certificate has passed its expiration date.
  • Mismatch in Hostname: The certificate's Common Name (CN) or Subject Alternative Name (SAN) does not match %host%.
  • Untrusted Certificate Authority (CA): The certificate is signed by an untrusted or unknown CA.
  • Incomplete Certificate Chain: Intermediate certificates are missing, preventing browsers or clients from validating the SSL chain.

Solutions

How to Handle This Issue for Your Self-Signed or Third Party Certificate.

  1. Check Certificate Details
    • Use an online tool like SSL Labs or a command-line tool to inspect the certificate.
    • Verify:
      • Expiration date.
      • Hostname matches the CN or SAN fields.
      • Certificate chain completeness.
      • Trustworthiness of the CA.
  2. Renew or Replace the Certificate
    • If the certificate has expired, generate a new one from a trusted CA.
    • Ensure the certificate includes the correct CN and SAN entries for the host.
  3. Install Intermediate Certificates
    • Obtain the full certificate chain from your CA.
    • Configure your server to include all necessary intermediate certificates.
  4. Update SSL/TLS Settings
    • Ensure your server supports secure protocols (e.g., TLS 1.2 or 1.3).
    • Disable outdated protocols like SSL 2.0, SSL 3.0, and TLS 1.0/1.1.
  5. Add to Trusted Stores (If Using Self-Signed Certificates)
    • If using a self-signed certificate, manually add it to the trusted certificate store on client systems.
    • Linux: Add to /etc/ssl/certs/.
    • Windows: Use the Certificate Manager (certmgr.msc).
  6. Test After Configuration
    • Restart your web server to apply changes
    • Re-check the SSL status using browsers or tools like curl

Example: Use command-line tool to inspect the certificate

bash
 
openssl s_client -connect %host%:443 -showcerts

Example: Install Certificate (Apache)

apache
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
SSLCertificateChainFile /path/to/intermediate.crt

Example: Restart Your Server

bash

systemctl restart apache2  # Apache
systemctl restart nginx    # Nginx

Example: Re-check the SSL status using browsers or tools like curl:

bash
curl -Iv https://host

How to Handle This Issue in All Other Cases

Create a support case to resolve the issue.

Preventive Measures

  • Automate certificate renewal with tools like Let's Encrypt and Certbot.
  • Regularly audit your server's SSL/TLS configuration using tools like SSL Labs or Hardenize.
  • Monitor certificate expiry using monitoring systems or scripts.
https://git.cloudberrylab.com/egor.m/doc-help-kb.git