ronnys Absent Member.
Absent Member.
13439 views

How to renew SSL-certificate?

Hi!
We are running an OES2 Linux with eDirectory and LDAPS.

Our Public SSL Certificate is about to expire and we need to Re-create/Renew.
On Netware this was very easy, but i'm stuck on OES2 Linux.

I did find some guide for using ConsoleOne, but i dont have C1 installed. Do i really need C1?
The existing SSL-Certificate also contain wrong dns-address for the trusted server. So i also need to change this to.

Anyone that can give me a guide to do this?

Best regard, Ronny Simonsen Narvik - Norway
Labels (2)
0 Likes
15 Replies
ronnys Absent Member.
Absent Member.

SOLVED (How to renew SSL-certificate?)

Ok! I found the solution!
Its very easy! iManager -> Novell Certificate Server -> Create Default Certificate

Enter ip and dns and then Doen!

🙂

ronnys;1814386 wrote:
Hi!
We are running an OES2 Linux with eDirectory and LDAPS.

Our Public SSL Certificate is about to expire and we need to Re-create/Renew.
On Netware this was very easy, but i'm stuck on OES2 Linux.

I did find some guide for using ConsoleOne, but i dont have C1 installed. Do i really need C1?
The existing SSL-Certificate also contain wrong dns-address for the trusted server. So i also need to change this to.

Anyone that can give me a guide to do this?

Best regard, Ronny Simonsen Narvik - Norway
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to renew SSL-certificate?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good to know you found it. Thank-you for posting back what you did.

Good luck.





ronnys wrote:
> Ok! I found the solution!
> Its very easy! iManager -> Novell Certificate Server -> Create Default
> Certificate
>
> Enter ip and dns and then Doen!
>
> 🙂
>
> ronnys;1814386 Wrote:
>> Hi!
>> We are running an OES2 Linux with eDirectory and LDAPS.
>>
>> Our Public SSL Certificate is about to expire and we need to
>> Re-create/Renew.
>> On Netware this was very easy, but i'm stuck on OES2 Linux.
>>
>> I did find some guide for using ConsoleOne, but i dont have C1
>> installed. Do i really need C1?
>> The existing SSL-Certificate also contain wrong dns-address for the
>> trusted server. So i also need to change this to.
>>
>> Anyone that can give me a guide to do this?

>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKQ3+AAAoJEF+XTK08PnB5fa8QAKNHe2gtFyV80HwaCyc8+lRM
Ieoz7l4yJlMcmHS19/uUc2sct4pEXCpdQohZ2k6bibhqHwKKsVGlHVXIIZOAjE/+
k+aQQtMm+tP4FdeMge8KQOn2TO2ux9suqG16XISqtXagQUO/57S01vj3kF72pblP
ieghGJaP7l83h+/hgwrRVOEX5Sual65XWDdcIgqCJYBK4igVC2myhu3PpHcT4RGd
HGEQo81lRH8b+qbxuXBwsNotbWFw3jveWz9/zgogeS79YscwEvNJOpXB9/+iVj9u
ng4r5IPKbNg1z1DScZFxHLWu6PwNntRRQYYTBNzEscNuTVfRxW4feuJHv8ieaX2s
QI/oUMBgy3Pglbj7IHlDRnA2BFQUjnI526y2g6ruK+i6MfuHNci092Yhj1pJUiB0
usaAUqwsILy88aLy2ib5fzMZORkvfVAtWby+LGAFD33E0CtiyqzEME0sEo8en/yf
WvgxJrjFh/pJzjozY0yT1EE9+VbWHoQdzG7YrvNBvfk7IXdYBTU8RR07MCmLsdFH
/IwrbEJ3/o+8un6FNVVyRUo2bZBG3ZitMNvQPJd8b+7YzTilu+tudk5XfTS3/7Ba
aHo8zAKBVCtAxZ1vUNS0/Liz1xh8WhXM0Ravg5fWBjzEsT2uguN1FgHtYmATf4ip
pLFgbsk8XmkPwcnxijTe
=r7y/
-----END PGP SIGNATURE-----
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to renew SSL-certificate?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It may also be worth mentioning that, per the PKI 3.3 documentation, you
can now set Server Self-Provisioning on the CA and your servers can then,
within thirty days of expiration I believe, automatically update
certificates whenever pkiserver is restarted and it gives a few scenarios
when that can happen automatically or by your intervention. That may be
worth trying out if you are interested in the same in the future.

Good luck.





ab@novell.com wrote:
> Good to know you found it. Thank-you for posting back what you did.
>
> Good luck.
>
>
>
>
>
> ronnys wrote:
>> Ok! I found the solution!
>> Its very easy! iManager -> Novell Certificate Server -> Create Default
>> Certificate

>
>> Enter ip and dns and then Doen!

>
>> 🙂

>
>> ronnys;1814386 Wrote:
>>> Hi!
>>> We are running an OES2 Linux with eDirectory and LDAPS.
>>>
>>> Our Public SSL Certificate is about to expire and we need to
>>> Re-create/Renew.
>>> On Netware this was very easy, but i'm stuck on OES2 Linux.
>>>
>>> I did find some guide for using ConsoleOne, but i dont have C1
>>> installed. Do i really need C1?
>>> The existing SSL-Certificate also contain wrong dns-address for the
>>> trusted server. So i also need to change this to.
>>>
>>> Anyone that can give me a guide to do this?

>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKQ3/SAAoJEF+XTK08PnB5soAQAIXpVJlnHgCMxKDV2iQXckiW
h5VkN9ihEeO3vIWxHXRRpKL+qMPaDtmMpAznw8bQQxCNknl0J4tFeriuEQheCkXG
xIiaJDMIiT387LlvERSW6Mz9PQeGqL1lHU3iWvysxQfiMpcXkTXM6kUugH5+vbkR
tXB8GK7YovVr+RiwUr1S8T+p8aCTMkz0qaCsKOeVVN2ywsdDVyUqzCEfcXyprwXJ
jtiaq6WCIcOife2nYKfqZSdYk7SHbIC0WURv71lots0kA2vEoD6XQ1TiSUnc13Ai
sw75EPS/TfpR3HEOooe1GNYQTLPEDw5f8c2ZQXq3rRy0LJtmmEpPpHfF/H9gurwR
pajVZ6ka2sqf4Zd3vzS3DOQ1V3zMa24o6fof8vFkhSHDAsZmbIEbsv3FADYRMfYh
ewfm64gyh1cwmA5A9F1SZ6x/nT9EayhvfJR/jsDvruDXM0LttLwPokJNLAycPXF7
d2RtPuQaCqyUfd0aMRPtPBrgzvBimrIBddTEbHpNISXWlfotmWHuKQ1qer+2QZYZ
A96onXlLVWJ/ClMkLG19FSRBkBfS6t7l+QLt01svN5a2Jgc1AGiqkbC5hzI5LNBB
iGi79Qs99EnKgYWIHG1Eho08Uq+ct/Giy2TaOkdjDumX/wzvi8k86hJfp4IGS+7d
eEEUEQvLGNcfF1/IrJ1W
=THfb
-----END PGP SIGNATURE-----
0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

My certs have expired, however the above fix doesnt seem to be working for me on any of my servers (OES & OES2). I've attached the results screen, its pretty inconclusive. I've also tried to force install the certs, but no luck. Are there any logs I can look at and post?
0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

Found the log, here is the error im getting on step 6:

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: 172.25.56.14
PROBLEM: The KMO SSL CertificateIP has expired.
--> The KMO SSL CertificateIP's IP Address is: 172.25.56.14
----> The IP addresses match.
Step 6 failed -603.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to renew SSL-certificate?

joerockt wrote:

>
> Found the log, here is the error im getting on step 6:
>
> Step 6 Creating IP and DNS Certificates if necessary.
> --> Number of Server IP addresses = 1
> --> The default IP address is: 172.25.56.14
> PROBLEM: The KMO SSL CertificateIP has expired.
> --> The KMO SSL CertificateIP's IP Address is: 172.25.56.14
> ----> The IP addresses match.
> Step 6 failed -603.


delete the existing certs and try to create the default certs again.
Sometimes fixes the 603 error (at least on netware it did).

--
Cheers,
Edward
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to renew SSL-certificate?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also try creating a certificate on this server manually in ConsoleOne or
iManager. A -603 can also result when your CA is hosed for one reason or
another (for example, when it lacks a Host Server attribute) and that
would make sense here I believe.

Good luck.





Edward van der Maas wrote:
> joerockt wrote:
>
>> Found the log, here is the error im getting on step 6:
>>
>> Step 6 Creating IP and DNS Certificates if necessary.
>> --> Number of Server IP addresses = 1
>> --> The default IP address is: 172.25.56.14
>> PROBLEM: The KMO SSL CertificateIP has expired.
>> --> The KMO SSL CertificateIP's IP Address is: 172.25.56.14
>> ----> The IP addresses match.
>> Step 6 failed -603.

>
> delete the existing certs and try to create the default certs again.
> Sometimes fixes the 603 error (at least on netware it did).
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLQzKwAAoJEF+XTK08PnB5ZCsP/RSjUDFwS3mnYlXvOa5fZumB
QvGdNC72bPabKvl5V0IuDn2bfs9It9KnDRIcqNNZVqDVh2eKDgc0dbyqCBRpqq4/
z+KcrxrqCOoVpWzAM1dIN5ys0utLrhM9+Ja3x95LF9K+6pd6AAcrbtl4yD0j7oHc
N3RRlelbRgPLNeA689r2EWOXTtijHJn7heAhjJ3hJJQc4a1+XWE7njTpOmV8D8Ac
vdn/LFna3LYIoX/hT22adR9rwnNGh5t4CJRN9OZ5yuDqaKVR8Rv0VLFNKXmeGLkz
X1AHZWy0/r+l9aJUnqK8kHlVSnfOy6BWZCEnJtjI0PpwQ6RZJlWlDHIjyCah8dke
WyKGrt0qOkXRaFzY4dXspQBfuwyvh5jllegRDCdULcID2eSnHpRKMJ+9p3WCPDpw
PqfEQePTe3JQD/IJx4Ow+UoqfpA9pP+3vgfjl0oLFCj3MMxyyY6TYCV+dC5X3ZY6
Zr21FHH3CX0zRiTulPpvhA4qg3eI0H53ouESe53/ndmBeDvc08hvyDUB0NVUB9pJ
iC20WbtA5JjrTIbHWXXXC+lV7ktM3xKOD7PjOuTFuMy7n55Dn4KHn9j+NqiPeS+Y
qmwGcwKw2jx5sS1pbuESfFvm2EdYsUlPNgTHPqo9ow5d+FaFZSKBNj21xvyBL4OL
DEm65GKKU9L2XRUUk7xC
=KFa9
-----END PGP SIGNATURE-----
0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

Tried to create a server cert, got the attached error. Below are the details:

java.lang.NullPointerException\r\n at com.novell.admin.PKI.certificate.eDir.eDirCertificateManager.D(Unknown Source)\r\n at com.novell.admin.PKI.certificate.eDir.eDirCertificateManager.cmmCertificate_Create(Unknown Source)\r\n at com.novell.admin.PKI.wizard.CertWizard_Create_ServerCertificate.doFinishButton(Unknown Source)\r\n at com.novell.admin.PKI.util.UIWizard$3.isHandled(Unknown Source)\r\n at com.novell.admin.PKI.util.actions.Navigate.isProcessed(Unknown Source)\r\n at com.novell.admin.PKI.util.UIObject.handleAction(Unknown Source)\r\n at com.novell.admin.PKI.util.UIContext.execute(Unknown Source)\r\n at com.novell.admin.PKI.tasks.LaunchServerWizard.execute(Unknown Source)\r\n at com.novell.emframe.dev.Task.execute(Task.java:505)\r\n at com.novell.nps.gadgetManager.BaseGadgetInstance.processRequest(BaseGadgetInstance.java:858)\r\n at com.novell.nps.gadgetManager.BaseGadgetInstance.handleAction(BaseGadgetInstance.java:2384)\r\n at com.novell.nps.gadgetManager.GadgetManager.processInstanceRequest(GadgetManager.java:1606)\r\n at com.novell.nps.gadgetManager.GadgetManager.processServiceRequest(GadgetManager.java:1062)\r\n at com.novell.nps.PortalServlet.handleFrameService(PortalServlet.java:505)\r\n at com.novell.nps.PortalServlet.processRequest(PortalServlet.java:373)\r\n at com.novell.nps.PortalServlet.doPost(PortalServlet.java:279)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)\r\n at com.novell.emframe.fw.servlet.AuthenticatorServlet.service(AuthenticatorServlet.java:332)\r\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)\r\n at com.novell.emframe.fw.filter.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:25)\r\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)\r\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)\r\n at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)\r\n at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)\r\n at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)\r\n at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)\r\n at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)\r\n at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)\r\n at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)\r\n at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)\r\n at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)\r\n at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)\r\n at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)\r\n at java.lang.Thread.run(Thread.java:619)\r\n
0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

Ok, I think I see the problem. See attached, that server no longer exists (don't ask why), which was our CA server.

So the next question is how do I create a new CA server from one of our currently existing OES servers?
0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

sorry forgot to attach.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to renew SSL-certificate?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That you still see that attribute value would imply that the object for
that server still exists in the tree. If that is the case you should
clean that out first.

Recreating a CA is trivial. Finish cleaning out the tree of the old
server object (which you said is dead and gone forever, or which I at
least understand to be dead and gone forever) and then delete the current
CA (if you have a backup, great; if you do not know that you have a backup
then you don't have one and you need to recreate it) and then use iManager
to create a new CA in the Security container. It is just an object with a
class of 'NDSPKI:Certificate Authority' as I recall. One of your servers
will need to host the CA so choose an eDirectory server that you like.

Good luck.




joerockt wrote:
> sorry forgot to attach.
>
>
> +----------------------------------------------------------------------+
> |Filename: caserver.jpg |
> |Download: http://forums.novell.com/attachment.php?attachmentid=3854 |
> +----------------------------------------------------------------------+
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLQ16AAAoJEF+XTK08PnB5D0EQAMxU5wt4DdVqrwNEUOS5JI5s
eJEDIzGSQWYZhTE5HSOnXL7Ql2Cw5uDyzyaGwRgjxx4b1zyN68xv5h4pZaPQVyWX
qNXldN9HLFKCS8TJhBLycGpm4l68+iNhj8jp/vIKcHPaXT3cJkfvp/9fWZCn+bsD
rqDAjGthgM5AkLryEdJ8vkgueKXMbUW4mM5cmSLoaVzVBhKskkIxV/wSLbsuzHNz
Ystj/KEbayV3my8RiL6731GCB7kCKT8g287ESEYrptKFbILn96xGuJR7A/c2zEMf
+qXoSJW23LBO/KPX+VNK1b5ytfvhhZJB1Jnjh0Zx71nSlUgniKspzDnWwdjaJfNb
ieCo0iwQSX8IVlnbLjmPosE765++bz4KCvv7/XS7S0Y+OYYMrPcsdXrRHtHA1CTR
8TImK0D43AzGWQWxcWXPSs1gBUBY9roWfrryqFIX+28lxfu5zONYpR3UCKdNkwrh
LLvjGsdhK7kH65w89E+GIp/gmZBujH70H3qqKndSmVtPMKee2CTB70ImyZ0Ykl4s
v83vrD22A6To/956FmSGs/gUsR6PAubsBU/7wZ41CEj+6gLUHD2IBxhZqCeGvue0
gpNkG9Hk/NMarHtrjtYMrW5+C7amcqOzeUiVQHx8dxNGCddHiCZh4Ww08JcmfHX/
dH/VqW8pgCM1C8iQrKf2
=ecKz
-----END PGP SIGNATURE-----
0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

Ok, the server object didn't exist, but I found other objects of that dead server and removed them.

Also found this doc:

How do I move the Organizational CA to another server?

Which is a walk through of this procedure. I'm ready to delete my CA object, will let you know how it goes...
0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

0 Likes
joerockt Absent Member.
Absent Member.

Re: How to renew SSL-certificate?

Success. New CA was assigned to a new server and object created. Repaired certs on that same server and this time no errors.

Thanks!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.