Ensign
Ensign
579 views

Domain not Trusted Redux

Why, oh why...

Does it seem like every time a new version of GW comes out, I spend countless hours trying to break into the admin console because the CA cert gets hosed? 

I am beyond tired of having to chase my tail trying to install the CA cert into my browser to circumvent the all too familiar "Domain Not Trusted" error that has plagued this product for years.  At what point does this bug become a feature? 

It SHOULD NOT BE THIS BIG A PiTA!

Just did my first guinea pig upgrade to GW 18.2 on SLES 12SP4 before rolling it out to clients, and once again, like with 18.0, and 18.1 after it, I get locked out of the admin console until I figure out exactly which certificate it wants.  This time, my bag of tricks is coming up empty, and quite frankly, makes those installs of 

  • I've tried the obvious - restart server - restart gw, check status of all services
  • I've imported the certificate into Chrome, Firefox, IE
  • I've tried regenerating the CA - no change
  • I've tried re-installing the certificate (gwadminutil certinst) - it gets to requesting the cert from the CA (the one that it had just downloaded from) and gives a 500 error for /gwadmin-service/system/ca (verified that gwadminservice was in fact running)
  • gwadminutil ca -l  shows a valid certificate / serial number
  • *Note* all agents (domain/PO/GWIA/WebAccess) use a valid wildcard certificate)
  • *Note* After updating GW Server & Webaccess - I can no longer log in to webaccess (correct UN/PW, but login fails - same credentials that worked prior to upgrade)
  • *Note* TLS 1.3 is disabled in browsers

Any suggestions would be appreciated

 

Mike Giovaninni

NetWerks

Labels (1)
0 Likes
10 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

I'm still on 18.1.  Haven't done the upgrade yet here.  But did you go through the configure step?  Steps 11 and 12 here: https://www.novell.com/documentation/groupwise18/gw18_guide_install/data/inst_upgrade_install_linux.html  18.2 has a database change so configure is required.  Its not just a service pack.  Maybe that is the hangup?

--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums!
Don't forget to Like helpful posts and mark Solutions!
0 Likes
Ensign
Ensign

This was a server that was already on 18.1, so no database change should have been required..

Also - the "Install" app that would allow me to do a database upgrade tells me that it has been disabled, and the domain not trusted nonsense leaves me unable to manage the system at all.

That's what I call progress..  not so much.. :o(

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

I think we urgently need much more detailed information here. Are you using your own certificates, or let groupwise handle it with it's own CA and the self-signed ones? What exactly are the errors you see, and where do you see them?

 

Totally unrelated, as this has nothing to do with certificates, but the update to 18.2 from 18.1, *DOES* involve a database upgrade.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
Knowledge Partner Knowledge Partner
Knowledge Partner

Yes 18.1 to 18.2 does require a database upgrade.
--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums!
Don't forget to Like helpful posts and mark Solutions!
0 Likes
Ensign
Ensign

Ok..
Good to know..

So - now if I could only access the install & management utilities to make that happen (which is the real issue here - can't access the utilities, can't upgrade the db)
0 Likes
Ensign
Ensign

As provided in the initial notes..

We use a signed wildcard certificate for our POA, MTA, & GWIA - the admin service is using the self-signed CA certificate generated by gwadminutil
0 Likes
Vice Admiral
Vice Admiral

Hi,

I didn't read that you cleared the browser cache. Did you do that?😉 You should at least be able to access the admin console from the server.


Norman
BahSIG Bahn-Signalbau GmbH
0 Likes
Ensign
Ensign

yes - cleared everything from the browser just to play it safe..  still get the domain not trusted response.

Install tells me that it is disabled (funny, I don' recall doing that at any time in recent history.. another *feature*?)

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner


@NetWerks wrote:
As provided in the initial notes..

We use a signed wildcard certificate for our POA, MTA, & GWIA - the admin service is using the self-signed CA certificate generated by gwadminutil

Can you give us more details about the error you're seeing? Maybe even a screenshot? "Domain not trusted" usually is an error coming from AD. I've never seen or heard it when accessing a web interface in a browser.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Ensign
Ensign

At this point - the system is no longer listening on port 9710
what changed:

  • Did a server restart
  • installed SLES 12.4 updates that were waiting (in hindsight, probably ill advised as it seems to have added another layer of complication)

At this point seriously debating the logic of rolling back to 18.1.1 - making sure all services are working - and taking another stab at it.  back to my previous point - it should not be this big a PiTA.  At times I feel like I had an easier experience installing & administering WordPerfect Office back in the day.

gwadmin-service log snippet:

2019-11-25 19:21:07 GwAdminServiceListener [INFO] Starting admin service listener: net-gw.get-netwerks.local:9710=>NWDom(/gwsys/domain/)
2019-11-25 19:21:07 GwAdminService [WARN] Error starting listener
com.novell.gw.api.common.GwRuntimeException: Error loading keystore for node
at com.novell.gw.api.main.GwAdminServiceListener.buildSslContextFactory(GwAdminServiceListener.java:618) ~[gwadmin.jar:?]
at com.novell.gw.api.main.GwAdminServiceListener.init(GwAdminServiceListener.java:475) ~[gwadmin.jar:?]
at com.novell.gw.api.main.GwAdminServiceListener.start(GwAdminServiceListener.java:822) ~[gwadmin.jar:?]
at com.novell.gw.api.main.GwAdminService.start(GwAdminService.java:1446) [gwadmin.jar:?]
at com.novell.gw.api.main.GwAdminService.main(GwAdminService.java:285) [gwadmin.jar:?]
Caused by: com.novell.gw.api.common.CryptoLibException: 140637779044096:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:294:

at com.novell.gw.api.security.CertManager.loadP12(Native Method) ~[gwadmin-lib.jar:?]
at com.novell.gw.api.security.CertManager.loadKey(CertManager.java:562) ~[gwadmin-lib.jar:?]
at com.novell.gw.api.security.NodeCertAccess.getKeyStore(NodeCertAccess.java:139) ~[gwadmin-lib.jar:?]
at com.novell.gw.api.security.NodeCertAccess.getKeyStore(NodeCertAccess.java:130) ~[gwadmin-lib.jar:?]
at com.novell.gw.api.main.GwAdminServiceListener.buildSslContextFactory(GwAdminServiceListener.java:613) ~[gwadmin.jar:?]
... 4 more
2019-11-25 19:21:07 GwAdminServiceListener [INFO] Starting admin service listener: net-gw.get-netwerks.local:9711=>NWPost.NWDom(/gwsys/post)

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.