Highlighted
loomansj Absent Member.
Absent Member.
4673 views

Invalid certificate on primary server

After I brought up a second primary server in my management zone, I attempted to log in to the specific server are got the following error:

Could not establish an encrypted connection because the certificate presented by <servername> has an invalid signature.

I'm using externally signed certificates from our eDirectory. Is this a problem with the signed certificate I used during the server installation? How can I fix this problem? Does this affect my first primary server? Which was functioning well.

Jason L.
Labels (2)
0 Likes
17 Replies
jaredljennings Absent Member.
Absent Member.

Re: Invalid certificate on primary server

loomansj,

>Could not establish an encrypted connection because the certificate
>presented by <servername> has an invalid signature.


So the certificate fails one of the three checks?
Would the "Root CA" check be failing? If so, then your eDirectory CA
certificate is not in your workstations Trusted ROOT store. You can
manually import this into your workstation.

I would not think that this would be causing sync issues as all servers
should have properly imported the Root CA. (THat is if the above is true.)

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
loomansj Absent Member.
Absent Member.

Re: Invalid certificate on primary server

I checked to make sure that the Root CA has been imported into the Trusted Root store on my workstation. I still cannot make a connection to the primary server. I checked the primary server in question to make sure the Root CA was imported properly and it shows in the Trusted Root CA list.

Jason L.
0 Likes
jaredljennings Absent Member.
Absent Member.

Re: Invalid certificate on primary server

loomansj,

>I checked the primary server in question to make
>sure the Root CA was imported properly and it shows in the Trusted Root
>CA list.


Scan you send me a screen-shot of the error?

jaredljennings at gmail dot com

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
loomansj Absent Member.
Absent Member.

Re: Invalid certificate on primary server

The screenshot has been sent to the email address provided. Thanks Jared.

Jason L.
0 Likes
jaredljennings Absent Member.
Absent Member.

Re: Invalid certificate on primary server

loomansj,

I haven't received one yet.

You can post the screen-shot if you do not mind it being publically
available.

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invalid certificate on primary server

Jared Jennings wrote:
> loomansj,
>
> I haven't received one yet.
>
> You can post the screen-shot if you do not mind it being publically
> available.
>


Sorry Jared, I mistyped your email address. I resent it the email.
Please let me know if you don't receive it within the next few hours and
I'll post it to the forum.
0 Likes
loomansj Absent Member.
Absent Member.

Re: Invalid certificate on primary server

Jared,
I accidently mistyped your email address yesterday. I resent to email with the screenshot attached. If you don't receive it within the next few hours, let me know.

Jason L.
0 Likes
jaredljennings Absent Member.
Absent Member.

Re: Invalid certificate on primary server

loomansj,

Got the screen-shot. Yuck! That is a fatal error. I believe we can
recreate the certificate, but give me a bit while I find the commands for
that.

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
jaredljennings Absent Member.
Absent Member.

Re: Invalid certificate on primary server

Ok, I think you can get this done. I haven't tried this yet, but can if
needed.


Certificate Authority Commands

These commands are used to manage the certificate authority role of
ZENworks servers. Certificate authority commands begin with
certificate-authority- in the long form, or with the letters ca in the
short form.

certificate-authority-export (certificate-authority-export/cae) [options]
(file path)

Exports the key-pair credentials of the zone certificate authority to a file, and disables the Certificate Authority role of the local server. Accepts the following options:

* -d, --disable-CA-role - Removes the Certificate Authority role of the local server.

certificate-authority-import (certificate-authority-import/cai) (file path)

Imports the key-pair credentials of the zone certificate authority from a file and enables the Certificate Authority role on the local server.
certificate-authority-role-enable (care)

Enables the Certificate Authority role on the local server.
certificate-authority-role-disable (card)

Disables the Certificate Authority role on the local server.


From the DOC: http://tinyurl.com/2kx92t

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invalid certificate on primary server

Jared Jennings wrote:
> Ok, I think you can get this done. I haven't tried this yet, but can if
> needed.
>
>
> Certificate Authority Commands
>
> These commands are used to manage the certificate authority role of
> ZENworks servers. Certificate authority commands begin with
> certificate-authority- in the long form, or with the letters ca in the
> short form.
>
> certificate-authority-export (certificate-authority-export/cae)
> [options] (file path)
>
> Exports the key-pair credentials of the zone certificate authority
> to a file, and disables the Certificate Authority role of the local
> server. Accepts the following options:
>
> * -d, --disable-CA-role - Removes the Certificate Authority role
> of the local server.
>
> certificate-authority-import (certificate-authority-import/cai) (file path)
>
> Imports the key-pair credentials of the zone certificate authority
> from a file and enables the Certificate Authority role on the local server.
> certificate-authority-role-enable (care)
>
> Enables the Certificate Authority role on the local server.
> certificate-authority-role-disable (card)
>
> Disables the Certificate Authority role on the local server.
>
>
> From the DOC: http://tinyurl.com/2kx92t
>


Jared,
Trying to use the command:
zman cae -d c:\program files\novell\zenworks\conf\security\server.der
did not work. I sent you an email containing the screenshot as an
attachment. Thanks.
0 Likes
jaredljennings Absent Member.
Absent Member.

Re: Invalid certificate on primary server

loomansj,

>Trying to use the command:
>zman cae -d c:\program files\novell\zenworks\conf\security\server.der did
>not work. I sent you an email containing the screenshot as an attachment.
> Thanks.


Just read it.

Try the --cleartext option
If that doesn't work, I will write a few step-by steps instructions.

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invalid certificate on primary server

Jared Jennings wrote:
> loomansj,
>
>> Trying to use the command:
>> zman cae -d c:\program files\novell\zenworks\conf\security\server.der
>> did not work. I sent you an email containing the screenshot as an
>> attachment. Thanks.

>
> Just read it.
>
> Try the --cleartext option
> If that doesn't work, I will write a few step-by steps instructions.
>


Jared,
I ran the following command:

zman cae -d --cleartext c:\program
files\novell\zenworks\conf\security\server.der

and received the following error:

Error: You can execute this command only when the ZENworks Internal
Certificate Authority is used.

I'm using external CAs. Your thoughts?
0 Likes
jaredljennings Absent Member.
Absent Member.

Re: Invalid certificate on primary server

loomansj,

>I ran the following command:
>
>zman cae -d --cleartext c:\program
>files\novell\zenworks\conf\security\server.der
>
>and received the following error:
>
>Error: You can execute this command only when the ZENworks Internal
>Certificate Authority is used.
>
>I'm using external CAs. Your thoughts?


Try this URL?
http://www.novell.com/documentation/zcm10/readme/readme_zcm10.html#bag01lh

--
Jared Jennings - Data Technique, Inc.
Novell Support Forums Sysop
My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invalid certificate on primary server

Jared Jennings wrote:
> loomansj,
>
>> I ran the following command:
>>
>> zman cae -d --cleartext c:\program
>> files\novell\zenworks\conf\security\server.der
>>
>> and received the following error:
>>
>> Error: You can execute this command only when the ZENworks Internal
>> Certificate Authority is used.
>>
>> I'm using external CAs. Your thoughts?

>
> Try this URL?
> http://www.novell.com/documentation/zcm10/readme/readme_zcm10.html#bag01lh
>

The error still persists. At this point, I'm thinking of rebuilding the
server, removing it from the server hierarchy and reinstalling ZCM.
Thoughts?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.