Highlighted
Absent Member.
Absent Member.
2305 views

Unable to add secondary domain due to Certificate error

I'm trying to add a secondary domain to a GW2014R2 primary. When Groupwise Installation runs on the server which will host the secondary domain, I get an error after clicking [Finish], resulting in a failure to create the new domain on the server:

[INDENT]Unable to add secondary domain ( 139930275669672:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:103: 139930275669672:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT: padding check failed:rsa_eay.c:705: 139930275669672:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218: )
[/INDENT]

I tested the same process on a second server, which also generates the same error, so it would appear to be some sort of certificate error. (The 139930275669672 value changes each time, but the rest of the error is constant).

My first thought was a certificate issue, so I cleared the certificates in /opt/novell/groupwise/certificates/<GUID> on the primary domain server, rebuilt the Groupwise CA using gwadminutil ca -g -d <domainpath> -f, and re-issued certificates for the MTA, POA, and GWIA. All services all restarted correctly with SSL active, so I believe the CA is operating properly (again). I re-attempted the installation on the secondary domain server, and can see new certificates being created in /opt/novell/groupwise/certificates/<GUID>. Examining the files created, they appear to be valid certificates, but the installation still fails with the same error.

The system is operational and I can't open an SR until next week, so I thought I'd post here to see if anyone can see anything that I'm missing. Any suggestions? Any resources you can suggest to help diagnose the problem?

Michael Zore
Sterling Technologies Group, Ltd.
Labels (1)
0 Likes
9 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Unable to add secondary domain due to Certificate error

Hi Michael,

Just a suggestion - try installing the certificate on the secondary domain server before creating the secondary domain.

Take a look here: https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_manpages/data/man_gwadmoth_gw-certinst.html

Please let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to add secondary domain due to Certificate error

laurabuckley;2431261 wrote:

Just a suggestion - try installing the certificate on the secondary domain server before creating the secondary domain.


Thanks for the help, Laura! I tried using gwadminutil certinst, but I have no local databases on the secondary server, so all my attempts to mung the command line syntax fail, as either I'm alerted that I've failed to specify a database directory (if I skip the -db option), or that I've provided an invalid path (Error DB05: Invalid path) if I provide the folder where the domain will eventually be stored. I've confirmed that I have a valid software installation on the secondary domain server but, given where the GW Install process fails, I have no local domain databases. Is there some magic syntax option for gwadminutil that would let me generate a secondary domain databases without completing the normal Installation Wizard on port 9710?

As an alternative, I remembered that I can see certificates on the primary domain Suse server in /opt/novell/groupwise/certificates/<GUID>, so I tried copying that new certificate file to the new domain root folder on the secondary domain server. That didn't seem to help, as it looks like the normal installation program has the CA generate a new certificate each time. It seems that even having the certificate locally didn't seem to help, as a new one was built each time and the prior deleted.

I realized that my assumption is that this is a Groupwise CA or primary domain issue, hence I've been putting my focus on the primary domain server. Is there anything GW2014R2 requires on the secondary domain server that I could be missing? SSL appears to be functional for the HTTPS interfaces and SSH, but are there other requirements not listed in the install docs that I'm missing? To this point, I've tried using other Linux servers, so I may fire up an attempt to install a domain under Windows to try to eliminate any dependencies on the secondary servers that I'm somehow missing.

Anything else I should try?
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Unable to add secondary domain due to Certificate error

Hi,

You need to point to the database of the Primary Domain when running the certinst command. You need to mount the path to the primary domain server on the secondary domain server and point to that.

Please let us know how it goes.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to add secondary domain due to Certificate error

MZore;2431359 wrote:
Thanks for the help, Laura! I tried using gwadminutil certinst, but I have no local databases on the secondary server, so all my attempts to mung the command line syntax fail, as either I'm alerted that I've failed to specify a database directory (if I skip the -db option), or that I've provided an invalid path (Error DB05: Invalid path) if I provide the folder where the domain will eventually be stored.


So if I understand correctly, there isn't any db files for the secondary domain? Without any files for the secondary domain, none of those gwadminutil commands will do any good.

Does your primary domain folder contain a directory called 'wpoffice' ? If the primary is missing this directory, please manually create it, and attempt to create the secondary domain again (clear any pending operations under system before creating a secondary)

Shane Nielson Kind of alright at doing stuff with the computer thing
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to add secondary domain due to Certificate error

snielson;2431390 wrote:
So if I understand correctly, there isn't any db files for the secondary domain? Without any files for the secondary domain, none of those gwadminutil commands will do any good.

Does your primary domain folder contain a directory called 'wpoffice' ? If the primary is missing this directory, please manually create it, and attempt to create the secondary domain again (clear any pending operations under system before creating a secondary)


On the Suse secondary domain server, you are correct that there is no database created, as the installation wizard fails before that is accomplished. I have empty folders created for the (eventual) domain and po (i.e. /groupwise/fortmeadows/domain and /groupwise/fortmeadows/po) but there are no files in those folders. At present, access rights to those folders are full read/write rights to all users (yes, I'll clean that up once this works!), so I don't believe that this is a local Linux rights issue.

On the Suse primary domain server, I verified that there are no pending operations on the primary domain and there is a wpoffice folder on the primary domain. It contains a single file -- ngwguard.dc -- and I've compared contents of that file to a similar file from that folder on an additional test GW2014R2 server, and it matches and so appears to be valid. When the Installation Wizard runs on the secondary domain server, it does correctly verify my username and password with the primary, and I see new certificate files generated in the /opt/novell/groupwise/certificates/<GUID> folder just before the error is generated.

Still, I've had no better success on the additional tries. Anything else I should examine? Remove? Attempt?
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to add secondary domain due to Certificate error

Padding / decrypt error .. at this point I would suggest creating a new CA, and remake the SSL certificates on any agent that uses GroupWise self signed certs.
After all self signed certs / CA have been replaced and remade, attempt to create a new secondary.

Run this gwadminutil ca command on your primary MTA server to create a new CA
Example to recreate the CA: gwadminutil ca -d /gw/dom1 --generate -f

After this, simply go to each agent (mta, gwia, poa) that use SSL, and press generate to issue a new certificate from the new CA.
Note: you'll want to restart the agents after applying new certificates.

Shane Nielson Kind of alright at doing stuff with the computer thing
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to add secondary domain due to Certificate error

snielson;2431507 wrote:
Padding / decrypt error .. at this point I would suggest creating a new CA, and remake the SSL certificates on any agent that uses GroupWise self signed certs.
After all self signed certs / CA have been replaced and remade, attempt to create a new secondary.

Run this gwadminutil ca command on your primary MTA server to create a new CA
Example to recreate the CA: gwadminutil ca -d /gw/dom1 --generate -f

After this, simply go to each agent (mta, gwia, poa) that use SSL, and press generate to issue a new certificate from the new CA.
Note: you'll want to restart the agents after applying new certificates.


First off, thanks for the advice. I've used and supported Groupwise long enough to know why the "wpgate" folder has that name, from first-hand experience, but I'm stumped on this problem. As you'll read below, I'm open to trying anything short of clicking my heels together while repeating "There's no CA like home..." so I'm open to suggestions.

So, following the process you listed above, I stopped all of GW on the primary domain server, recreated the CA using the command above, then restarted just gwadminservice. Using GWAdmin, I recreated certificates for MTA, POA, and GWIA, and restarted each service successfully. Upon restart, each individual service logs show SSL is active. On the primary domain server, the /opt/novell/groupwise/certificates/<GUID> folder shows new files with the date and time of the re-creation process, including the ca.crt and ca.key files. Additionally, the GW Client reported the change in certificates when loaded on a workstation. I would interpret all of this to mean that the CA was replaced successfully and that it is generating valid certificates. Agreed?

On re-attempting the install on the intended secondary domain server, the same error resulted. I am clearly grasping at straws, so I also tried another "New Domain" install using a different folder name, excluding GWIA creation, and even attempted the install on an alternate backup server, all with the same result and lack of success. I know these server configurations should work -- I was using a similar setup last year on these same boxes -- but I'm even going to attempt this again on a clean test server later (fresh install of SLES11SP3, OES2015, GW2014) as soon as I can install it, to see if I'm missing something local on the secondary servers.

Anything else I should try?


Michael Zore
Sterling Technologies Group, Ltd.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to add secondary domain due to Certificate error

SOLVED! Delete all files in the /opt/novell/groupwise/certificates folder on the new secondary domain server and the installation will proceed.

Background: On the soon-to-be-new secondary domain Suse servers, the /opt/novell/groupwise/certificates folder still contained contents from the earlier use as secondary domain servers in the past. I removed the contents of that folder (a GUID folder name and "install"), re-ran the install, and the RSA error message did not appear. I'm guessing that the GW Installation Wizard allowed the previous certificates (which were no longer valid, as they were issued by a prior version of the CA) to remain, rather than deleting and requesting new ones. When the folder is empty, the wizard appropriately pulls contents from the primary CA, and the installation proceeds. I'm guessing that any time a secondary domain is recreated after rebuilding the primary CA, the same process might be required. I tested this on two remote servers and the installation proceeded without the RSA error and the secondary domain was created.

Thank you all for your help in working out an answer on this!

Michael Zore
Sterling Technologies Group, Ltd.
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Unable to add secondary domain due to Certificate error

Hi Michael,

That is so awesome. I'm glad that you managed to solve this. Thank you for posting back - I've learned something valuable from your experience.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.