Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
1279 views

Cert error in migration

This is baffling. I'm migrating an OES11sp1 server to new hardware running OES11sp2; when configuring the miggui utility, it continues to give me a certificate error for the source server.

1) Indeed, I discovered the certs had expired for the source server. I repaired all four certs in iManager, and validated them. The certs validate now, happy happy.
2) For good measure, I also ran namconfig -k on the server.
3) I even ran namconfig cache_refresh.
4) Lastly, I went into /opt/novell/migration/plugin/conf on the target server, and deleted the SourceServerCert.der file.

I should be good now, right?
Nope.

Still complains about the cert being expired. Where does the migration pull this "SourceServerCert.der" from? I figured it pulled it from eDirectory. I noticed on the source server that under /etc/ssl/servercerts, the pem files are still showing the old certs, is the migration pulling the cert from here? (I guess not, I did a manual export from iManager, and ran openssl to covert the pkcs12 pfx file to pem format, still no luck.)
I'm stumped.
Labels (1)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

lpphiggp;2350083 wrote:
This is baffling. I'm migrating an OES11sp1 server to new hardware running OES11sp2; when configuring the miggui utility, it continues to give me a certificate error for the source server.

1) Indeed, I discovered the certs had expired for the source server. I repaired all four certs in iManager, and validated them. The certs validate now, happy happy.
2) For good measure, I also ran namconfig -k on the server.
3) I even ran namconfig cache_refresh.
4) Lastly, I went into /opt/novell/migration/plugin/conf on the target server, and deleted the SourceServerCert.der file.

I should be good now, right?
Nope.

Still complains about the cert being expired. Where does the migration pull this "SourceServerCert.der" from? I figured it pulled it from eDirectory. I noticed on the source server that under /etc/ssl/servercerts, the pem files are still showing the old certs, is the migration pulling the cert from here? (I guess not, I did a manual export from iManager, and ran openssl to covert the pkcs12 pfx file to pem format, still no luck.)
I'm stumped.


Did you restart ndsd after repairing the certs? I usually reboot the server after renewing the certs.

Thomas
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

No, I didn't want to interrupt the user's access to their files. I'll give that a shot, but honestly, I shouldn't think that'd be necessary, it wasn't in NetWare. I'd done migration from NetWare to OES-Linux, where the NetWare boxe's certs had expired, did a quick repair (either iManager or pkidiag) and it worked immediately.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

lpphiggp;2350389 wrote:
No, I didn't want to interrupt the user's access to their files. I'll give that a shot, but honestly, I shouldn't think that'd be necessary, it wasn't in NetWare. I'd done migration from NetWare to OES-Linux, where the NetWare boxe's certs had expired, did a quick repair (either iManager or pkidiag) and it worked immediately.


I believe, if you've had to run a repair on the default certs, that the ndsd process is supposed to auto-check (I forget the interval) and auto-import/read/whatever the newly updated certs.

However, I've found repeatedly over time that some things just will not work until you bounce the server, even IF you manually restart ndsd (of course, restarting ndsd interrupts your users NCP connection to the server in question).

LUM in particular has problems where it gets something stuck in memory and just won't write the proper cert files, no matter what (it seems). And since the miggui loves to use/rely upon LUM ....

There's lots of things in NetWare (for good or bad) that worked differently than OES.

--Kevin
Micro Focus Expert
Micro Focus Expert

Hi,

Perhaps try this to sort your certificates out: https://www.novell.com/communities/coolsolutions/cool_tools/certificate-recreation-script-oes1-and-oes2/

It is also for OES11.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Thanks Laura, I'll check that out!
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

We found we had to reboot the server anyway, trying to sync the migration (bypassing SSL) eventually led to it hanging. Now it's all good. Thanks everyone.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.