Anonymous_User Absent Member.
Absent Member.
4514 views

Certificate issues after upgrade

Hi,

Yesterday, I performed an in-place upgrade of a NW51SP8 server to NW65SP8.
That seemed to go well, except for one problem.
NRM wouldn't open and it seems Apache could not start. Logger screen gave me
the error: Use of key SSL Certificateip failed.

So I ran pkidiag with the several 'fix' options, but PKIDIAG can't fix it
(log below). Maybe usefull info, after the upgrade I found out the DNS
entry in sys:\etc\hosts for this server was invalid. It was dhd1.tmsnet,org
(comma) while of course it should have been dhd1.tmsnet.org. I changed it
and rebooted the server just to be sure.

When (from nwadmin) I double click on the SSL CertificateIP - DHD1 object it
shows the Certificate Status as 'Absent' and tells me 'there is no trusted
root in this Key Material Object. Choose import to add one'. Ive exported a
certificate from another (working) object and imported it. After that it
shows the CA setting correctly, though the Certificate Status remains
'Absent'

This server is in a multi server Tree. Another NW65SP8 server is the CA and
the host field in the CA object is populated correctly. No certificate
problems on the other servers.

I'm not a biggie (as you can tell..) on certificate issues, so any help
would be greatly appreciated.

Thanks
Ron

---------------------------------------------------------------------------
PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Sat Jan 30 12:17:22 2010
User logged-in as: admin.tms.
Fixing mode
Rekey mode
Always Re-key

--> Server Name = 'DHD1'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'DHD1.SERVICES.DHD.NL.TMS' points to SAS Service object 'SAS
Service - DHD1.SERVICES.DHD.NL.TMS'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - DHD1.SERVICES.DHD.NL.TMS' is backlinked
to server 'DHD1.SERVICES.DHD.NL.TMS'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
DHD1.SERVICES.DHD.NL.TMS'.
--->KMO SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS is linked.
--->KMO SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.
Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
DHD1.SERVICES.DHD.NL.TMS'.
KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS' is linked.
KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: 10.2.1.2
ERROR -1372418624. The KMO SSL CertificateIP exists, but I can't decode it.
FIXING: Creating SSL CertificateIP (10.2.1.2)
Pausing for 5 seconds because of error 49673
ERROR 49673 creating SSL CertificateIP.
--> Number of Server DNS names for the IP address 10.2.1.2 = 1
--> The server's default DNS name is:
DHD1.TMSNET.ORG
ERROR -1240. The KMO SSL CertificateDNS exists, but we can't decode it.
FIXING: Creating SSL CertificateDNS (DHD1.TMSNET.ORG)
Pausing for 5 seconds because of error 49673
ERROR 49673 creating SSL CertificateDNS.
Step 6 failed 49673.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 0
Problems fixed: 0
Un-fixable problems found: 0

Labels (2)
0 Likes
32 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Certificate issues after upgrade

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can you create a new certificate (named 'test00' or whatever) on that
server just to ensure the rest of your PKI setup is okay? Have you tried
deleting SSL CertificateIP (assuming it's not anything you've customized
in the past) and recreated it by hand 9same name)?

Good luck.





Ron van den Broek wrote:
> Hi,
>
> Yesterday, I performed an in-place upgrade of a NW51SP8 server to
> NW65SP8. That seemed to go well, except for one problem.
> NRM wouldn't open and it seems Apache could not start. Logger screen
> gave me the error: Use of key SSL Certificateip failed.
>
> So I ran pkidiag with the several 'fix' options, but PKIDIAG can't fix
> it (log below). Maybe usefull info, after the upgrade I found out the
> DNS entry in sys:\etc\hosts for this server was invalid. It was
> dhd1.tmsnet,org (comma) while of course it should have been
> dhd1.tmsnet.org. I changed it and rebooted the server just to be sure.
>
> When (from nwadmin) I double click on the SSL CertificateIP - DHD1
> object it shows the Certificate Status as 'Absent' and tells me 'there
> is no trusted root in this Key Material Object. Choose import to add
> one'. Ive exported a certificate from another (working) object and
> imported it. After that it shows the CA setting correctly, though the
> Certificate Status remains 'Absent'
>
> This server is in a multi server Tree. Another NW65SP8 server is the CA
> and the host field in the CA object is populated correctly. No
> certificate problems on the other servers.
>
> I'm not a biggie (as you can tell..) on certificate issues, so any help
> would be greatly appreciated.
>
> Thanks
> Ron
>
> ---------------------------------------------------------------------------
> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
> (Check the end of the log for the last repair results)
> Current Time: Sat Jan 30 12:17:22 2010
> User logged-in as: admin.tms.
> Fixing mode
> Rekey mode
> Always Re-key
>
> --> Server Name = 'DHD1'
> ---------------------------------------------------------------------------
>
> Step 1 Verifying the Server's link to the SAS Service Object.
> Server 'DHD1.SERVICES.DHD.NL.TMS' points to SAS Service object 'SAS
> Service - DHD1.SERVICES.DHD.NL.TMS'
> Step 1 succeeded.
>
> Step 2 Verifying the SAS Service Object
> SAS Service object 'SAS Service - DHD1.SERVICES.DHD.NL.TMS' is
> backlinked to server 'DHD1.SERVICES.DHD.NL.TMS'.
> Step 2 succeeded.
>
> Step 3 Verifying the links to the KMOs
> Reading the links for SAS Service object 'SAS Service -
> DHD1.SERVICES.DHD.NL.TMS'.
> --->KMO SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS is linked.
> --->KMO SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS is linked.
> Step 3 succeeded.
>
> Step 4 Verifying the KMOs
> ---> Testing KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.
> Rights check -- OK.
> Back link -- OK.
> Private Key -- OK.
>
> ---> Testing KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.
> Rights check -- OK.
> Back link -- OK.
> Private Key -- OK.
> Step 4 succeeded.
>
> Step 5 Re-verifying the links to the KMOs
> Reading the links for SAS Service object 'SAS Service -
> DHD1.SERVICES.DHD.NL.TMS'.
> KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS' is linked.
> KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS' is linked.
> Step 5 succeeded.
>
> Step 6 Creating IP and DNS Certificates if necessary.
> --> Number of Server IP addresses = 1
> --> The default IP address is: 10.2.1.2
> ERROR -1372418624. The KMO SSL CertificateIP exists, but I can't decode it.
> FIXING: Creating SSL CertificateIP (10.2.1.2)
> Pausing for 5 seconds because of error 49673
> ERROR 49673 creating SSL CertificateIP.
> --> Number of Server DNS names for the IP address 10.2.1.2 = 1
> --> The server's default DNS name is:
> DHD1.TMSNET.ORG
> ERROR -1240. The KMO SSL CertificateDNS exists, but we can't decode it.
> FIXING: Creating SSL CertificateDNS (DHD1.TMSNET.ORG)
> Pausing for 5 seconds because of error 49673
> ERROR 49673 creating SSL CertificateDNS.
> Step 6 failed 49673.
>
>
> Note: Occasionally multiple problems will be solved with a single fix.
>
> Fixable problems found: 0
> Problems fixed: 0
> Un-fixable problems found: 0
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLZEMGAAoJEF+XTK08PnB56AQP/2mcPLAQdGQUnysy9B63I2wa
5QUuL8t9m6MIV1x4KIpyq7I2O3WwB/rsHQeHNlOfJkChZiYNNym3oyABIcjpjDjD
wcGYvxBx3SNgRys964J5psT1Gm78fhmCWmbso+CG8nXSgxjiGsT+sSZP6n708lIR
7VNvVIRp6862y59mK1I5540/6QWvAZoObGyBvTV+0m1Wsee6LgxkFnPtPZBt+sMr
Icoou2YRXToLGVwchUahM9XYrAXfA1kgO4ojG0Hh9M7zBbvsXOZX5m2iobUG3sUF
YFO4KTMbrbpBkfmwQEWk1xLkplUtHkx0S7OLeM4tCkiwl3WmXtH5zdPZIo7zlTaf
pkN/5rPSAi0fy0hVQA2tkVuL3GU5wN3uLo/D4CM1mdnJ2yxUGtYVXqtJCWGuxU6Y
+xwjYnAc5O3zZnyxSnVDN5/WsYTJqWienURTmUbHB47yUx455G8IfZWIktfjPYjj
oZdt4K2DAskrJn+9WX5xAfHBaUFLXa9MKugRWZ9DDGBb/Q/oy2+0GemCfeskYJmG
4LuUM3Q0UHpahRUYWG264UAs6hM8PVDBYaPEvzXnYO0kIphyqfRPPRTwyTIpNdsE
bELy6RydYKgr9KqtVVijA8nA1PVXk+bhL9bYBzyjpTL6p9nRCfoufnPjh39HLosD
NjjgVEYptQwENvikMCYW
=pTeX
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade

Thanks for you quick response!

I just deleted the "SSL CertificateIP - DHD1". Created a two new ones
(test001 and 'SSL CertificateIP - DHD1') using NWadmin (Key Material
object).

When I choose the standard options, I get the error:
"The tree CA is unable to sign the certificate. Error code: 49673"

When I choose the custom options, I get the error:
"Can't generate the certificate signing request. Error code: -1211"

Was this what you ment?

Ron


<ab@novell.com> schreef in bericht
news:aqX8n.1478$qb7.620@kovat.provo.novell.com...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Can you create a new certificate (named 'test00' or whatever) on that
> server just to ensure the rest of your PKI setup is okay? Have you tried
> deleting SSL CertificateIP (assuming it's not anything you've customized
> in the past) and recreated it by hand 9same name)?
>
> Good luck.
>
>
>
>
>
> Ron van den Broek wrote:
>> Hi,
>>
>> Yesterday, I performed an in-place upgrade of a NW51SP8 server to
>> NW65SP8. That seemed to go well, except for one problem.
>> NRM wouldn't open and it seems Apache could not start. Logger screen
>> gave me the error: Use of key SSL Certificateip failed.
>>
>> So I ran pkidiag with the several 'fix' options, but PKIDIAG can't fix
>> it (log below). Maybe usefull info, after the upgrade I found out the
>> DNS entry in sys:\etc\hosts for this server was invalid. It was
>> dhd1.tmsnet,org (comma) while of course it should have been
>> dhd1.tmsnet.org. I changed it and rebooted the server just to be sure.
>>
>> When (from nwadmin) I double click on the SSL CertificateIP - DHD1
>> object it shows the Certificate Status as 'Absent' and tells me 'there
>> is no trusted root in this Key Material Object. Choose import to add
>> one'. Ive exported a certificate from another (working) object and
>> imported it. After that it shows the CA setting correctly, though the
>> Certificate Status remains 'Absent'
>>
>> This server is in a multi server Tree. Another NW65SP8 server is the CA
>> and the host field in the CA object is populated correctly. No
>> certificate problems on the other servers.
>>
>> I'm not a biggie (as you can tell..) on certificate issues, so any help
>> would be greatly appreciated.
>>
>> Thanks
>> Ron
>>
>> ---------------------------------------------------------------------------
>> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
>> (Check the end of the log for the last repair results)
>> Current Time: Sat Jan 30 12:17:22 2010
>> User logged-in as: admin.tms.
>> Fixing mode
>> Rekey mode
>> Always Re-key
>>
>> --> Server Name = 'DHD1'
>> ---------------------------------------------------------------------------
>>
>> Step 1 Verifying the Server's link to the SAS Service Object.
>> Server 'DHD1.SERVICES.DHD.NL.TMS' points to SAS Service object 'SAS
>> Service - DHD1.SERVICES.DHD.NL.TMS'
>> Step 1 succeeded.
>>
>> Step 2 Verifying the SAS Service Object
>> SAS Service object 'SAS Service - DHD1.SERVICES.DHD.NL.TMS' is
>> backlinked to server 'DHD1.SERVICES.DHD.NL.TMS'.
>> Step 2 succeeded.
>>
>> Step 3 Verifying the links to the KMOs
>> Reading the links for SAS Service object 'SAS Service -
>> DHD1.SERVICES.DHD.NL.TMS'.
>> --->KMO SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS is linked.
>> --->KMO SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS is linked.
>> Step 3 succeeded.
>>
>> Step 4 Verifying the KMOs
>> ---> Testing KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.
>> Rights check -- OK.
>> Back link -- OK.
>> Private Key -- OK.
>>
>> ---> Testing KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.
>> Rights check -- OK.
>> Back link -- OK.
>> Private Key -- OK.
>> Step 4 succeeded.
>>
>> Step 5 Re-verifying the links to the KMOs
>> Reading the links for SAS Service object 'SAS Service -
>> DHD1.SERVICES.DHD.NL.TMS'.
>> KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS' is linked.
>> KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS' is linked.
>> Step 5 succeeded.
>>
>> Step 6 Creating IP and DNS Certificates if necessary.
>> --> Number of Server IP addresses = 1
>> --> The default IP address is: 10.2.1.2
>> ERROR -1372418624. The KMO SSL CertificateIP exists, but I can't decode
>> it.
>> FIXING: Creating SSL CertificateIP (10.2.1.2)
>> Pausing for 5 seconds because of error 49673
>> ERROR 49673 creating SSL CertificateIP.
>> --> Number of Server DNS names for the IP address 10.2.1.2 = 1
>> --> The server's default DNS name is:
>> DHD1.TMSNET.ORG
>> ERROR -1240. The KMO SSL CertificateDNS exists, but we can't decode it.
>> FIXING: Creating SSL CertificateDNS (DHD1.TMSNET.ORG)
>> Pausing for 5 seconds because of error 49673
>> ERROR 49673 creating SSL CertificateDNS.
>> Step 6 failed 49673.
>>
>>
>> Note: Occasionally multiple problems will be solved with a single fix.
>>
>> Fixable problems found: 0
>> Problems fixed: 0
>> Un-fixable problems found: 0
>>

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJLZEMGAAoJEF+XTK08PnB56AQP/2mcPLAQdGQUnysy9B63I2wa
> 5QUuL8t9m6MIV1x4KIpyq7I2O3WwB/rsHQeHNlOfJkChZiYNNym3oyABIcjpjDjD
> wcGYvxBx3SNgRys964J5psT1Gm78fhmCWmbso+CG8nXSgxjiGsT+sSZP6n708lIR
> 7VNvVIRp6862y59mK1I5540/6QWvAZoObGyBvTV+0m1Wsee6LgxkFnPtPZBt+sMr
> Icoou2YRXToLGVwchUahM9XYrAXfA1kgO4ojG0Hh9M7zBbvsXOZX5m2iobUG3sUF
> YFO4KTMbrbpBkfmwQEWk1xLkplUtHkx0S7OLeM4tCkiwl3WmXtH5zdPZIo7zlTaf
> pkN/5rPSAi0fy0hVQA2tkVuL3GU5wN3uLo/D4CM1mdnJ2yxUGtYVXqtJCWGuxU6Y
> +xwjYnAc5O3zZnyxSnVDN5/WsYTJqWienURTmUbHB47yUx455G8IfZWIktfjPYjj
> oZdt4K2DAskrJn+9WX5xAfHBaUFLXa9MKugRWZ9DDGBb/Q/oy2+0GemCfeskYJmG
> 4LuUM3Q0UHpahRUYWG264UAs6hM8PVDBYaPEvzXnYO0kIphyqfRPPRTwyTIpNdsE
> bELy6RydYKgr9KqtVVijA8nA1PVXk+bhL9bYBzyjpTL6p9nRCfoufnPjh39HLosD
> NjjgVEYptQwENvikMCYW
> =pTeX
> -----END PGP SIGNATURE-----


0 Likes
Knowledge Partner
Knowledge Partner

Re: Certificate issues after upgrade

Ron van den Broek,
> When I choose the standard options, I get the error:
> "The tree CA is unable to sign the certificate. Error code: 49673"


Never seen that error and I find no hits on it in the knowledgebase.
Please run SDDIag to check that your server keys are OK.


- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)


Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade




"Anders Gustafsson" <AndersG@no-mx.forums.novell.com> schreef in bericht
news:VA.0000420c.000beefe@no-mx.forums.novell.com...
> Ron van den Broek,
>> When I choose the standard options, I get the error:
>> "The tree CA is unable to sign the certificate. Error code: 49673"

>
> Never seen that error and I find no hits on it in the knowledgebase.
> Please run SDDIag to check that your server keys are OK.
>



I ran SDIDIAG.NLM check and it gave me:

>>>>>SDIDIAG Begin: Sat Jan 30 18:08:15 2010

SDIDIAG> check > sys:sdidiag.log
*** [Key Consistency Check - BEGIN] ***
[Checking SDI Domain]
SDI Check Domain Configuration...
SDI Domain Key Server .DHD1.SERVICES.DHD.NL.TMS.TMS_TREE.
- Configuration is good.
SDI Domain Key Server .TMS2.SERVICES.RTD.NL.TMS.TMS_TREE.
- Configuration is good.
SDI Domain Key Server .TMS1.SERVICES.RTD.NL.TMS.TMS_TREE.
- Configuration is good.
*** SDI Check Domain Configuration is [GOOD]
SDI Check Domain Keys...
SDI Domain Key Server .TMS1.SERVICES.RTD.NL.TMS.TMS_TREE.
- Keys are good.
SDI Domain Key Server .DHD1.SERVICES.DHD.NL.TMS.TMS_TREE.
- Keys are good.
SDI Domain Key Server .TMS2.SERVICES.RTD.NL.TMS.TMS_TREE.
- Keys are good.
*** SDI Check Domain Keys are [GOOD]

[Checking SDI Domain: GOOD]

*** No Problems Found ***
*** [Key Consistency Check - END] ***


Thanks
Ron

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade


"Anders Gustafsson" <AndersG@no-mx.forums.novell.com> schreef in bericht
news:VA.0000420c.000beefe@no-mx.forums.novell.com...
> Ron van den Broek,
>> When I choose the standard options, I get the error:
>> "The tree CA is unable to sign the certificate. Error code: 49673"

>
> Never seen that error and I find no hits on it in the knowledgebase.
> Please run SDDIag to check that your server keys are OK.
>


I ran a resync as well:


>>>>>SDIDIAG Begin: Sat Jan 30 18:14:22 2010

SDIDIAG> RESYNC -T > sys:resync.log
*** [RESYNC Domain - BEGIN] ***
[PASS 1 of 2]
[Looking for All Server Objects]
*** [Find Servers - BEGIN] ***
Found: .ANT1.SERVICES.ANT.BE.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .DHD1.SERVICES.DHD.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .MST1.SERVICES.MST.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .POG1.SERVICES.POG1.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .POG2.SERVICES.POG2.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .TLR1.SERVICES.TLR.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .TMS1.SERVICES.RTD.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .TMS2.SERVICES.RTD.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.
Found: .ZWL1.SERVICES.ZWL.NL.TMS.TMS_TREE.
- Checking eDirectory version.
- Good.

*** [Find Servers - END] ***
[Processing Server 1 of 9]
Processing Server .ZWL1.SERVICES.ZWL.NL.TMS.TMS_TREE.
Synchronize Server .ZWL1.SERVICES.ZWL.NL.TMS.TMS_TREE. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 2 of 9]
Processing Server .TMS2.SERVICES.RTD.NL.TMS.TMS_TREE.
- (Domain server) processing complete.
[Processing Server 3 of 9]
Processing Server .TMS1.SERVICES.RTD.NL.TMS.TMS_TREE.
- (Domain server) processing complete.
[Processing Server 4 of 9]
Processing Server .TLR1.SERVICES.TLR.NL.TMS.TMS_TREE.
Synchronize Server .TLR1.SERVICES.TLR.NL.TMS.TMS_TREE. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 5 of 9]
Processing Server .POG2.SERVICES.POG2.NL.TMS.TMS_TREE.
Synchronize Server .POG2.SERVICES.POG2.NL.TMS.TMS_TREE. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 6 of 9]
Processing Server .POG1.SERVICES.POG1.NL.TMS.TMS_TREE.
Synchronize Server .POG1.SERVICES.POG1.NL.TMS.TMS_TREE. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 7 of 9]
Processing Server .MST1.SERVICES.MST.NL.TMS.TMS_TREE.
Synchronize Server .MST1.SERVICES.MST.NL.TMS.TMS_TREE. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 8 of 9]
Processing Server .DHD1.SERVICES.DHD.NL.TMS.TMS_TREE.
- (Domain server) processing complete.
[Processing Server 9 of 9]
Processing Server .ANT1.SERVICES.ANT.BE.TMS.TMS_TREE.
Synchronize Server .ANT1.SERVICES.ANT.BE.TMS.TMS_TREE. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.

[Synchronizing SDI Domain Key Servers]
*** The Security Domain is synchronized.
[PASS 2 of 2]
[Synchronizing All Servers from Security Domain]
Synchronize Server .ANT1.SERVICES.ANT.BE.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .DHD1.SERVICES.DHD.NL.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .MST1.SERVICES.MST.NL.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .POG1.SERVICES.POG1.NL.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .POG2.SERVICES.POG2.NL.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .TLR1.SERVICES.TLR.NL.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .TMS1.SERVICES.RTD.NL.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .TMS2.SERVICES.RTD.NL.TMS.TMS_TREE. ...
- Synchronized.
Synchronize Server .ZWL1.SERVICES.ZWL.NL.TMS.TMS_TREE. ...
- Synchronized.
*** [RESYNC Domain - END] ***

0 Likes
Knowledge Partner
Knowledge Partner

Re: Certificate issues after upgrade

OK. Then ait cannot be that. I am always a bit suspicous of inplace
upgrades of 5.1 to 6.x though. Wonder if you have a mismatched PKI
module anywhere. Anyway, try this:

Rename SSL CertificateIP and SSL CertificateDNS to SSL CertificateIPOld
and SSL CertificateDNSOld.

Rerun PKIDIAG in fixing mode. What happens?

- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)


Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade


"Anders Gustafsson" <AndersG@no-mx.forums.novell.com> schreef in bericht
news:VA.0000420d.00743dc0@no-mx.forums.novell.com...
> OK. Then ait cannot be that. I am always a bit suspicous of inplace
> upgrades of 5.1 to 6.x though. Wonder if you have a mismatched PKI
> module anywhere. Anyway, try this:
>
> Rename SSL CertificateIP and SSL CertificateDNS to SSL CertificateIPOld
> and SSL CertificateDNSOld.
>
> Rerun PKIDIAG in fixing mode. What happens?
>
> - Anders Gustafsson (Sysop)


Hi Anders,

They do get recreated, but as it seems with the same problems:


---------------------------------------------------------------------------
PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Sat Jan 30 19:50:33 2010
User logged-in as: admin.tms.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'DHD1'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'DHD1.SERVICES.DHD.NL.TMS' points to SAS Service object 'SAS
Service - DHD1.SERVICES.DHD.NL.TMS'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - DHD1.SERVICES.DHD.NL.TMS' is backlinked
to server 'DHD1.SERVICES.DHD.NL.TMS'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
DHD1.SERVICES.DHD.NL.TMS'.
--->KMO SSL CertificateIP - DHD1OLD.SERVICES.DHD.NL.TMS is linked.
PROBLEM: The KMO object needs to be Renamed/Moved from 'SSL CertificateIP -
DHD1OLD.SERVICES.DHD.NL.TMS' to 'SSL CertificateIP -
DHD1.SERVICES.DHD.NL.TMS'.
FIX: Successfully changed 'SSL CertificateIP - DHD1OLD.SERVICES.DHD.NL.TMS'
to 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.

--->KMO SSL CertificateDNS - DHD1OLD.SERVICES.DHD.NL.TMS is linked.
PROBLEM: The KMO object needs to be Renamed/Moved from 'SSL CertificateDNS -
DHD1OLD.SERVICES.DHD.NL.TMS' to 'SSL CertificateDNS -
DHD1.SERVICES.DHD.NL.TMS'.
FIX: Successfully changed 'SSL CertificateDNS - DHD1OLD.SERVICES.DHD.NL.TMS'
to 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.

Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.
Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
DHD1.SERVICES.DHD.NL.TMS'.
KMO 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS' is linked.
KMO 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: 10.2.1.2
ERROR -1429195072. The KMO SSL CertificateIP exists, but I can't decode it.
PROBLEM: Need to rename 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.
Fix: Successfully changed 'SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'
to 'Old1 SSL CertificateIP - DHD1.SERVICES.DHD.NL.TMS'.
FIXING: Creating SSL CertificateIP (10.2.1.2)
Pausing for 5 seconds because of error 49673
ERROR 49673 creating SSL CertificateIP.
--> Number of Server DNS names for the IP address 10.2.1.2 = 1
--> The server's default DNS name is:
DHD1.TMSNET.ORG
ERROR -1240. The KMO SSL CertificateDNS exists, but we can't decode it.
PROBLEM: Need to rename 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.
Fix: Successfully changed 'SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'
to 'Old1 SSL CertificateDNS - DHD1.SERVICES.DHD.NL.TMS'.
FIXING: Creating SSL CertificateDNS (DHD1.TMSNET.ORG)
Pausing for 5 seconds because of error 49673
ERROR 49673 creating SSL CertificateDNS.
Step 6 failed 49673.

Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 2
Problems fixed: 2
Un-fixable problems found: 0

0 Likes
Knowledge Partner
Knowledge Partner

Re: Certificate issues after upgrade

Ron van den Broek,
> ERROR 49673 creating SSL CertificateIP
>

Wait a second. Type TIME on the console. IS time in sync?

- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)


Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade


"Anders Gustafsson" <AndersG@no-mx.forums.novell.com> schreef in bericht
news:VA.0000420e.00b8fed3@no-mx.forums.novell.com...
> Ron van den Broek,
>> ERROR 49673 creating SSL CertificateIP
>>

> Wait a second. Type TIME on the console. IS time in sync?
>


Yep. I checked that earlier with dsrepair. Time is in sync in the whole
tree. but quite right you asked.

Ron

0 Likes
Knowledge Partner
Knowledge Partner

Re: Certificate issues after upgrade

Hi,

Ron van den Broek wrote:
>
> Thanks for you quick response!
>
> I just deleted the "SSL CertificateIP - DHD1". Created a two new ones
> (test001 and 'SSL CertificateIP - DHD1') using NWadmin (Key Material
> object).
>
> When I choose the standard options, I get the error:
> "The tree CA is unable to sign the certificate. Error code: 49673"
>
> When I choose the custom options, I get the error:
> "Can't generate the certificate signing request. Error code: -1211"
>
> Was this what you ment?


Your CA is hosed or outright missing. Check the Certificate Authority
object in your security container. Does it have a host server assigned?

CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: Certificate issues after upgrade

OK. Let me ask Novell what that error means.

- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)


Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade


"Massimo Rosen" <mrosenNO@SPAMcfc-it.de> schreef in bericht
news:4B64CD45.AD0A990F@SPAMcfc-it.de...
> Hi,
>
> Ron van den Broek wrote:
>>
>> Thanks for you quick response!
>>
>> I just deleted the "SSL CertificateIP - DHD1". Created a two new ones
>> (test001 and 'SSL CertificateIP - DHD1') using NWadmin (Key Material
>> object).
>>
>> When I choose the standard options, I get the error:
>> "The tree CA is unable to sign the certificate. Error code: 49673"
>>
>> When I choose the custom options, I get the error:
>> "Can't generate the certificate signing request. Error code: -1211"
>>
>> Was this what you ment?

>
> Your CA is hosed or outright missing. Check the Certificate Authority
> object in your security container. Does it have a host server assigned?
>
> CU,
> --


Hi Massimo,

CA hosed, could very well be.. But it's not missing and the host server is
assigned.
I did some extra testing. When I try to renew the public key (with nwadmin)
of an existing certificate on another server (not the newly upgraded and not
the CA server), it gives me the same:

Can't generate the certificate signing request. Error code: -1222

So indeed, does this point more to problems with the CA itself than to the
newly upgraded server? This was the first server I upgraded since the CA
server a year ago. Maybe the CA was hosed all the time, but only now it
shows?

Thanks
Ron

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade

> OK. Let me ask Novell what that error means.
>


Thanks very much for your help Anders,

I did some extra testing. When I try to renew the public key (with nwadmin)
of an existing certificate on another server (not the newly upgraded and not
the CA server), it gives me the same:

Can't generate the certificate signing request. Error code: -1222

Does this point more to problems with the CA itself than to the newly
upgraded server? This was the first server I upgraded since the CA server a
year ago. Maybe the CA was hosed all the time, but only now it shows?

Ron

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Certificate issues after upgrade


>
> Your CA is hosed or outright missing. Check the Certificate Authority
> object in your security container. Does it have a host server assigned?
>


I double checked CA settings with C1:

Dist. name: TMS_TREE Organizational CA.Security
Host server: TMS1.SERVICES.RTD.NL.TMS

public key cert:
Subject name: OU=Organizational CA.O=TMS_TREE
Issuer name: O=NICI Licensed CA.CN=NICI Machine-Unique CA
11E9497E-9086F10E640A332AEBE9B71826020723
Effective dat 27 juni 2001 9:00:00 GMT
Exp. date 27 juni 2011 11:00:00 GMT
Cert status: valid

self signed cert:
Subject name: OU=Organizational CA.O=TMS_TREE
Issuer name: OU=Organizational CA.O=TMS_TREE
Effective dat 27 juni 2001 9:00:00 GMT
Exp. date 27 juni 2011 11:00:00 GMT
Cert status: valid

Don't know if this usefull info, but just to be sure..

Ron

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.