UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Absent Member.
Absent Member.
2306 views

Miggui Certificate Failure

I am trying to migrate files from a 6.5 server to OES 11. I am getting the following error.

Error: File /opt/novell/migration/plugin/conf/SourceServerCert.der is not a valid certificate file. No 'BEGIN CERTIFICATE' string

That is the failure and then it won't let me contect to the source server. I have tried both secure and non secure ports. The weird thing is that it worked great for awhile. I moved a lot of data on several 6.5 server to OES servers and then it just stopped working. I have tried reboots on all servers involved and have tried several different 6.5 and OES servers with no luck.

Any help?
Labels (1)
0 Likes
16 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

melnikok;2241866 wrote:
I am trying to migrate files from a 6.5 server to OES 11. I am getting the following error.

Error: File /opt/novell/migration/plugin/conf/SourceServerCert.der is not a valid certificate file. No 'BEGIN CERTIFICATE' string

That is the failure and then it won't let me contect to the source server. I have tried both secure and non secure ports. The weird thing is that it worked great for awhile. I moved a lot of data on several 6.5 server to OES servers and then it just stopped working. I have tried reboots on all servers involved and have tried several different 6.5 and OES servers with no luck.

Any help?


maybe rename the actual file referenced to like .old and see if it'll re-fetch it correctly?
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Melnikok,
> Error: File /opt/novell/migration/plugin/conf/SourceServerCert.der is
> not a valid certificate file. No 'BEGIN CERTIFICATE' string


Look at the debug log. It pulls that cert from the source server. Is
the copy on source corrupt?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
Absent Member.
Absent Member.

THere is no file in that location by that name.
0 Likes
Absent Member.
Absent Member.

I suppose it could be. I ran tckeygen and pkidiag and all seems to be fine. Is there something else I should be doing to check it. The log file has the following information
2013-01-22 12:17:13,729 ERROR - Migration Framework:getServerCert:Command failed with message
2013-01-22 12:17:13,731 INFO - Migration Framework:getSSCert:
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Information: Contacting the server 10.9.231.231
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Information: Executing openssl command 'echo |openssl s_client -connect 10.9.231.231:636 > /opt/novell/migration/plugin/conf/SourceServerCert.der 2>&1'
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Information: File /opt/novell/migration/plugin/conf/SourceServerCert.der created
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Error: File /opt/novell/migration/plugin/conf/SourceServerCert.der is not a valid certificate file. No 'BEGIN CERTIFICATE' string
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Melnikok,
> openssl s_client -connect 10.9.231.231:636


Try that command from a prompt, what do you see?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
Absent Member.
Absent Member.

I suppose it could be. I ran tckeygen and pkidiag and all seems to be fine. Is there something else I should be doing to check it. The log file has the following information
2013-01-22 12:17:13,729 ERROR - Migration Framework:getServerCert:Command failed with message
2013-01-22 12:17:13,731 INFO - Migration Framework:getSSCert:
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Information: Contacting the server 10.9.231.231
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Information: Executing openssl command 'echo |openssl s_client -connect 10.9.231.231:636 > /opt/novell/migration/plugin/conf/SourceServerCert.der 2>&1'
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Information: File /opt/novell/migration/plugin/conf/SourceServerCert.der created
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:Error: File /opt/novell/migration/plugin/conf/SourceServerCert.der is not a valid certificate file. No 'BEGIN CERTIFICATE' string
2013-01-22 12:17:13,731 ERROR - Migration Framework:getSSCert:
0 Likes
Absent Member.
Absent Member.

Same result. Identical error as the log file.
0 Likes
Absent Member.
Absent Member.

Sorry misunderstood. When I try the command you suggested I get the following message
CONNECTED(00000003)
16408:error:140790ES:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Melnikok,
> Sorry misunderstood. When I try the command you suggested I get the
> following message
> CONNECTED(00000003)
> 16408:error:140790ES:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:


OK. You get a handshake failure. Can you do this on the source server:

First, assuming your cert had expired and pkidiag fixed it:

Unload nldap
load nldap

retry openssl s_client -connect 10.9.231.231:636 on the linux box

If the command still fails, do this:


On ConsoleOne, on the LDAP server object, screen options, enable all
checkboxes, save, then

unload nldap
load nldap
load DSTRACE
DSTRACE -ALL
DSTRACE +LDAP
DSTRACE FILE ON
DSTRACE SCREEN ON

retry the command above

DSTRACE FILE OFF

pöost result of dstrace.log here

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
Absent Member.
Absent Member.

Checking for configuration changes
Failed to duplicate context 0x7568001d in DuplicateNDSContext, err = transport failure (-625)
Created new monitor 0x0
Monitor 0x47a started
New TLS connection 0x732fa1a0 from 10.16.231.114:37073, monitor = 0x47a, index = 1
Monitor 0x47a initiating TLS handshake on connection 0x732fa1a0
(10.16.231.114:37073)(0x0000:0x00) DoTLSHandshake on connection 0x732fa1a0
(10.16.231.114:37073)(0x0000:0x00) TLS handle allocation failed on connection 0x732fa1a0, setting err = -5873. Error stack:
error:140BA0C3:SSL routines:SSL_new:null ssl ctx
(10.16.231.114:37073)(0x0000:0x00) TLS handshake failed on connection 0x732fa1a0, err = -5873
Server closing connection 0x732fa1a0, socket error = -5873
Connection 0x732fa1a0 closed
Checking for configuration changes
Failed to duplicate context 0x75680020 in DuplicateNDSContext, err = transport failure (-625)
0 Likes
Absent Member.
Absent Member.

After seeing there was no Certificate selected in the SSL/TLS Configuration Tab I put in the IP certificate for that server. After running the comand you have above I now get this in my log file. It still will not connect.

New TLS connection 0x730a81e0 from 10.16.231.114:37131, monitor = 0x472, index = 1
Monitor 0x472 initiating TLS handshake on connection 0x730a81e0
(10.16.231.114:37131)(0x0000:0x00) DoTLSHandshake on connection 0x730a81e0
BIO ctrl called with unknown cmd 7
(10.16.231.114:37131)(0x0000:0x00) Completed TLS handshake on connection 0x730a81e0
New cleartext connection 0x730a8340 from 10.16.231.114:46193, monitor = 0x472, index = 2
(10.16.231.114:46193)(0x000c:0x60) DoBind on connection 0x730a8340
(10.16.231.114:46193)(0x000c:0x60) Bind name:cn=administrator,o=fcps, version:3, authentication:simple
(10.16.231.114:46193)(0x000c:0x60) Rejecting unencrypted bind on cleartext port in nds_back_bind, err = 13
(10.16.231.114:46193)(0x000c:0x60) Sending operation result 13:"":"" to connection 0x730a8340
New cleartext connection 0x730a84a0 from 10.16.231.114:46194, monitor = 0x472, index = 3
(10.16.231.114:46194)(0x000d:0x60) DoBind on connection 0x730a84a0
(10.16.231.114:46194)(0x000d:0x60) Bind name:cn=administrator,o=fcps, version:3, authentication:simple
(10.16.231.114:46194)(0x000d:0x60) Rejecting unencrypted bind on cleartext port in nds_back_bind, err = 13
(10.16.231.114:46194)(0x000d:0x60) Sending operation result 13:"":"" to connection 0x730a84a0
New cleartext connection 0x730a8600 from 10.16.231.114:46197, monitor = 0x472, index = 4
(10.16.231.114:46197)(0x000e:0x60) DoBind on connection 0x730a8600
(10.16.231.114:46197)(0x000e:0x60) Bind name:cn=administrator,o=fcps, version:3, authentication:simple
(10.16.231.114:46197)(0x000e:0x60) Rejecting unencrypted bind on cleartext port in nds_back_bind, err = 13
(10.16.231.114:46197)(0x000e:0x60) Sending operation result 13:"":"" to connection 0x730a8600
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.