This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
hhs_admin
Commodore
Commodore
‎2018-04-09 11:27
923 views

SAN Service overwrites "Common Server Certificate"

When preparing OES2015SP1 for OES2018 upgrade the "Common Server Certificate" as shown by YaST gets "lost" ... overwritten by SAN service.
Exported eDirectory server cert is not accepted for import as "Common Server Certificate".

Steps tested:

  1. Create Server Certificate with YaST CA and install as Common Server Certificate. Result: SAN service overwrites /etc/ssl/servercerts/... on next reboot. These cert and key are o.k. (delivered by Apache) and include the full chain, but "Common Server Certificate" ist empty 😞
  2. Export SSL CertificateDNS via iManager to cert.pfx. Rename to cert.p12 --> Can not be imported via YaST as Common Server Certificate



  3. Thus I can't upgrade to OES2018, as "5.3.5 Ensuring That the Server Has a Server Certificate" in Installation Guide isn't fullfilled.

    Klaus
Labels (2)
Labels
0 Likes
Reply
Report Inappropriate Content
4 Replies
mathiasbraun
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-04-09 13:12

Did you by chance miss this part?
---snip---
IMPORTANT:Most OES servers have either an eDirectory certificate or a third-party certificate installed.
These instructions only apply when that is not the case.
---end-of-snip---
If you like it: like it.
0 Likes
Reply
Report Inappropriate Content
mrosen
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-04-09 13:23

On 09.04.2018 12:34, hhs admin wrote:
>
> When preparing OES2015SP1 for OES2018 upgrade the "Common Server
> Certificate" as shown by YaST gets "lost" ... overwritten by SAN
> service.
> Exported eDirectory server cert is not accepted for import as "Common
> Server Certificate".
>
> Steps tested:
>
> - Create Server Certificate with YaST CA and install as Common Server
> Certificate. Result: SAN service overwrites /etc/ssl/servercerts/...
> on next reboot. These cert and key are o.k. (delivered by Apache) and
> include the full chain, but "Common Server Certificate" ist empty 😞
> - Export SSL CertificateDNS via iManager to cert.pfx. Rename to
> cert.p12 --> Can not be imported via YaST as Common Server
> Certificate
> -
>
>
> Thus I can't upgrade to OES2018, as "5.3.5 Ensuring That the Server Has
> a Server Certificate" in Installation Guide isn't fullfilled.

There's a lot of confusion here, which isn't surprising.

I a simple, single sentence: Never touch Yast > Server Certificates on
an OES Server. It is totally detached from OES certificates and will
wreak havoc on you. On a default OES server, you'll never have to touch
certs manually.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Reply
Report Inappropriate Content
mrosen
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-04-09 13:37

On 09.04.2018 12:34, hhs admin wrote:
> 5.3.5 Ensuring That the Server Has
> a Server Certificate

The *really* important part of this section:

"IMPORTANT:Most OES servers have either an eDirectory certificate or a
third-party certificate installed.

These instructions only apply when that is not the case"

....which is almost never the case, and if you would know it.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Reply
Report Inappropriate Content
hhs_admin
Commodore
Commodore
‎2018-04-09 14:03

mathiasbraun;2478790 wrote:
Did you by chance miss this part?
---snip---
IMPORTANT:Most OES servers have either an eDirectory certificate or a third-party certificate installed.
These instructions only apply when that is not the case.
---end-of-snip---


Oh. Yes ... I missed it 😞 Sorry.

But when starting the upgrade, ignoring the missing Commen Server Certificate later on I get on error message like Root Certificate not found and the upgraded server isn't functional (i.e. no iManager)
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.