n_kerr Absent Member.
Absent Member.
2267 views

NW 65 and DigiCert

We have a NW 6.5 SP8 server that we need to updated the SSL Cert on. I have generated the CSR request and received the SSL Cert from DigiCert. I imported the the info into the object that I created for the CSR request. Everything is validfor the Trusted Root and Public Key certificates.

However when I use the SSL Cert checker from DigiCert I get the following error messages:


SSL Certificate is expired.

The certificate was valid from 12/18/2008 through 12/18/2009.

It is also showing the wrong serial number for the cert.


SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

I have modified the nwconfig file to use the new SSL cert as well as the conf files for Apache.

Does NW 6.5 work with wilcard certs?

Thanks,
Nancy

Labels (2)
0 Likes
38 Replies
Knowledge Partner
Knowledge Partner

Re: NW 65 and DigiCert

N kerr,
> Does NW 6.5 work with wilcard certs?


Never tried to be fair, but did you restart apache after installing the
cert?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
n_kerr Absent Member.
Absent Member.

Re: NW 65 and DigiCert

Yes. I even rebooted the server. Still get the same error message.

0 Likes
n_kerr Absent Member.
Absent Member.

Re: NW 65 and DigiCert

There are some NDS objects for expired certs still in the same container as the new cert. Would that be causing any problems?

0 Likes
Knowledge Partner
Knowledge Partner

Re: NW 65 and DigiCert

N kerr,
> There are some NDS objects for expired certs still in the same container
> as the new cert. Would that be causing any problems?


No, as long as you have the correct certificate specified in the listen
statememt of httpd.conf. Just for laughs, try changing the name there to
something invalid, add a char or so, unload apache, load apache. In this
case Apache should not load and an error should be written into
startup.err

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
n_kerr Absent Member.
Absent Member.

Re: NW 65 and DigiCert

Apache did not load when I added an extra character to cert name. When I type in https://web site I get the following error message.

There is a problem with this website's security certificate.


Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information


If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.

For more information, see "Certificate Errors" in Internet Explorer Help.

According to Didicert the SSL cert on the server is still expired and is not trusted.

0 Likes
Knowledge Partner
Knowledge Partner

Re: NW 65 and DigiCert

N kerr,
> Apache did not load when I added an extra character to cert name. When
> I type in https://web site I get the following error message.


OK. Then we have something. If you look at that cert in ConsoleOne, or
iManager, what dates do you see? Ie the same old dates or the
certificate's new dates?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
n_kerr Absent Member.
Absent Member.

Re: NW 65 and DigiCert

When I view the info for the object in NDS I see the correct dates (what it should be for the Digicert).

0 Likes
Knowledge Partner
Knowledge Partner

Re: NW 65 and DigiCert

N kerr,
> When I view the info for the object in NDS I see the correct dates (what
> it should be for the Digicert).


And that certificate is assigned to the server where apache runs? What
does your listen statement look like in httpd.conf?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
n_kerr Absent Member.
Absent Member.

Re: NW 65 and DigiCert

The following is the info for the listen statement in the httpd.conf file:

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 81
SecureListen 444 "Digi12"
#"Thawte08b"
# "SSL CertificateDNS"

0 Likes
Knowledge Partner
Knowledge Partner

Re: NW 65 and DigiCert

N kerr,
> "Digi12"


I assume then that the Certificate name in edir is then Digi12 -
Servername?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
n_kerr Absent Member.
Absent Member.

Re: NW 65 and DigiCert

That is correct.

0 Likes
Knowledge Partner
Knowledge Partner

Re: NW 65 and DigiCert

N kerr,
> That is correct.


In that case it is really odd and it has always worked for me. Are you
100% sure that you are conrtacting the same instance of apache that
loads the certificate? Sure that no proxies are in the way?

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
n_kerr Absent Member.
Absent Member.

Re: NW 65 and DigiCert

There are no proxies.

0 Likes
Knowledge Partner
Knowledge Partner

Re: NW 65 and DigiCert

N kerr,
> There are no proxies.
>
> --


And:

"Are you 100% sure that you are contacting the same instance of apache
that loads the certificate"

Ie unload all instances of apache, then load just the one with the
cert, surf to that site, look at the cert, what does it say? Also check
anddoublecheck the info on that same cert in ConsoleOne.

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.