Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
lpphiggp
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2015-03-17 19:52
1279 views

Cert error in migration

This is baffling. I'm migrating an OES11sp1 server to new hardware running OES11sp2; when configuring the miggui utility, it continues to give me a certificate error for the source server.

1) Indeed, I discovered the certs had expired for the source server. I repaired all four certs in iManager, and validated them. The certs validate now, happy happy.
2) For good measure, I also ran namconfig -k on the server.
3) I even ran namconfig cache_refresh.
4) Lastly, I went into /opt/novell/migration/plugin/conf on the target server, and deleted the SourceServerCert.der file.

I should be good now, right?
Nope.

Still complains about the cert being expired. Where does the migration pull this "SourceServerCert.der" from? I figured it pulled it from eDirectory. I noticed on the source server that under /etc/ssl/servercerts, the pem files are still showing the old certs, is the migration pulling the cert from here? (I guess not, I did a manual export from iManager, and ran openssl to covert the pkcs12 pfx file to pem format, still no luck.)
I'm stumped.
Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
6 Replies
thsundel
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2015-03-18 08:11

lpphiggp;2350083 wrote:
This is baffling. I'm migrating an OES11sp1 server to new hardware running OES11sp2; when configuring the miggui utility, it continues to give me a certificate error for the source server.

1) Indeed, I discovered the certs had expired for the source server. I repaired all four certs in iManager, and validated them. The certs validate now, happy happy.
2) For good measure, I also ran namconfig -k on the server.
3) I even ran namconfig cache_refresh.
4) Lastly, I went into /opt/novell/migration/plugin/conf on the target server, and deleted the SourceServerCert.der file.

I should be good now, right?
Nope.

Still complains about the cert being expired. Where does the migration pull this "SourceServerCert.der" from? I figured it pulled it from eDirectory. I noticed on the source server that under /etc/ssl/servercerts, the pem files are still showing the old certs, is the migration pulling the cert from here? (I guess not, I did a manual export from iManager, and ran openssl to covert the pkcs12 pfx file to pem format, still no luck.)
I'm stumped.


Did you restart ndsd after repairing the certs? I usually reboot the server after renewing the certs.

Thomas
Reply
Report Inappropriate Content
lpphiggp
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2015-03-19 13:56

No, I didn't want to interrupt the user's access to their files. I'll give that a shot, but honestly, I shouldn't think that'd be necessary, it wasn't in NetWare. I'd done migration from NetWare to OES-Linux, where the NetWare boxe's certs had expired, did a quick repair (either iManager or pkidiag) and it worked immediately.
0 Likes
Reply
Report Inappropriate Content
kjhurni
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2015-03-19 14:09

lpphiggp;2350389 wrote:
No, I didn't want to interrupt the user's access to their files. I'll give that a shot, but honestly, I shouldn't think that'd be necessary, it wasn't in NetWare. I'd done migration from NetWare to OES-Linux, where the NetWare boxe's certs had expired, did a quick repair (either iManager or pkidiag) and it worked immediately.


I believe, if you've had to run a repair on the default certs, that the ndsd process is supposed to auto-check (I forget the interval) and auto-import/read/whatever the newly updated certs.

However, I've found repeatedly over time that some things just will not work until you bounce the server, even IF you manually restart ndsd (of course, restarting ndsd interrupts your users NCP connection to the server in question).

LUM in particular has problems where it gets something stuck in memory and just won't write the proper cert files, no matter what (it seems). And since the miggui loves to use/rely upon LUM ....

There's lots of things in NetWare (for good or bad) that worked differently than OES.

--Kevin
Reply
Report Inappropriate Content
laurabuckley
Micro Focus Expert
Micro Focus Expert
‎2015-03-20 10:45

Hi,

Perhaps try this to sort your certificates out: https://www.novell.com/communities/coolsolutions/cool_tools/certificate-recreation-script-oes1-and-oes2/

It is also for OES11.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
Reply
Report Inappropriate Content
lpphiggp
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2015-03-20 17:50

Thanks Laura, I'll check that out!
0 Likes
Reply
Report Inappropriate Content
lpphiggp
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2015-03-23 17:17

We found we had to reboot the server anyway, trying to sync the migration (bypassing SSL) eventually led to it hanging. Now it's all good. Thanks everyone.
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.