Question
Why is the SSL CA certificate validity shown as expired even though the certificate expires in 2049 or later?
This may affect Nagios checks, diagnostic checks, or other monitoring tools.
Answer
This issue is caused by a bug in m2crypto. Due to this bug, certificates with an expiration date later than the year 2049 are incorrectly interpreted as expired or invalid.
The bug is tracked here:
https://forge.univention.org/bugzilla/show_bug.cgi?id=55411
In affected environments, the certificate validity should be verified manually using openssl, for example:
openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -enddate
Example output:
notAfter=Mar 1 20:15:00 2051 GMT
If the displayed date is correct and lies in the future, the certificate itself is valid and the warning can be attributed to the m2crypto bug.