SSH Professional
      Back to home
      1. Smallstep Knowledge Base
      2. Smallstep Solutions Documentation
      3. SSH Professional

      Certificate invalid: expired when logging into a host

      Check the troubleshooting tips here for SSH host and client tips.

      Other checks

      The host has been offline for a while

        • Try the following command and check the validity date range.
      • Host certificate types have been changed from default ECDSA to another (such as RSA)
        • sudo grep -A 4 "autogenerated by step" /etc/ssh/sshd_config and check the output
        • sudo step ssh inspect /etc/ssh/ssh_host_ecdsa_key-cert.pub and check the output and expiration dates. (file exists, means that the host is set up with the default ECDSA)
        • sudo step ssh inspect /etc/ssh/ssh_host_rsa_key-cert.pub and check the output and expiration dates. (file not found means the host is set up with the default ECDSA)
      • The host certs are renewed using systemd, which is essentialy a cron that runs step ssh renew, except it’s not actually a cron, but rather a systemd timer.
          • sudo systemctl status step-ssh-renew.service and sudo systemctl status step-ssh-renew.timer and check the output for signs of an unhealthy status.
        • Send the output from the above to support@smallstep.com for review.