lantonioli Absent Member.
Absent Member.
1561 views

SSL Certificate Failure

I've installed a new NW65SP8 server into an existing tree. In the same
context as this server there are another 2 NW65SP7 servers and 1 OES2
Linux server. The new server does not have a replica of an eDir partition.

After install, Apache would not load and I found that there was a
problem with the certificates. I tried to run PKIDIAG to fix the issue
but I'm getting error -603 in step 6. Below is the PKIDIAG log (I've
removed references to old certs and other servers).

Using C1 I can create a test cert for the server that is the CA so the
CA seems to work OK.

I can't find any TIDs on this (relating to winsock error/not able to
detect IP address). Any help resolving this is greatly appreciated.

Lou

PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Fri May 15 15:41:28 2009
User logged-in as: admin.xxxxxivil.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'GARFIELD'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'GARFIELD.xxxxxivil' points to SAS Service object 'SAS
Service - GARFIELD.xxxxxivil'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - GARFIELD.xxxxxivil' is backlinked
to server 'GARFIELD.xxxxxivil'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
GARFIELD.xxxxxivil'.
--->KMO IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil is linked.
--->KMO SSL CertificateIP - GARFIELD.xxxxxivil is linked.
--->KMO DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil is linked.
--->KMO SSL CertificateDNS - GARFIELD.xxxxxivil is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - GARFIELD.xxxxxivil'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.
Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service -
GARFIELD.xxxxxivil'.
KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil' is linked.
KMO 'SSL CertificateIP - GARFIELD.xxxxxivil' is linked.
KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil' is linked.
KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
WARNING: We are not able to determine the IP address of this Server.

This is probably due to either a winsock defect or a IP/DNS
misconfiguration.
There are known defects with winsock support.
Please update to the latest service pack.

PROBLEM: A SSL CertificateIP does not exist
Step 6 failed -603.


Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 1
Problems fixed: 0
Un-fixable problems found: 0

Labels (2)
0 Likes
9 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSL Certificate Failure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Using C1 can you create a cert for this server? Have you tried deleting
this server's certs and recreating them (also linking them back up with
the LDAP Server object)?

Good luck.





Lou Antonioli wrote:
> I've installed a new NW65SP8 server into an existing tree. In the same
> context as this server there are another 2 NW65SP7 servers and 1 OES2
> Linux server. The new server does not have a replica of an eDir partition.
>
> After install, Apache would not load and I found that there was a
> problem with the certificates. I tried to run PKIDIAG to fix the issue
> but I'm getting error -603 in step 6. Below is the PKIDIAG log (I've
> removed references to old certs and other servers).
>
> Using C1 I can create a test cert for the server that is the CA so the
> CA seems to work OK.
>
> I can't find any TIDs on this (relating to winsock error/not able to
> detect IP address). Any help resolving this is greatly appreciated.
>
> Lou
>
> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
> (Check the end of the log for the last repair results)
> Current Time: Fri May 15 15:41:28 2009
> User logged-in as: admin.xxxxxivil.
> Fixing mode
> Rename and create mode
> Rename and create when necessary
>
> --> Server Name = 'GARFIELD'
> ---------------------------------------------------------------------------
>
> Step 1 Verifying the Server's link to the SAS Service Object.
> Server 'GARFIELD.xxxxxivil' points to SAS Service object 'SAS Service
> - GARFIELD.xxxxxivil'
> Step 1 succeeded.
>
> Step 2 Verifying the SAS Service Object
> SAS Service object 'SAS Service - GARFIELD.xxxxxivil' is backlinked
> to server 'GARFIELD.xxxxxivil'.
> Step 2 succeeded.
>
> Step 3 Verifying the links to the KMOs
> Reading the links for SAS Service object 'SAS Service -
> GARFIELD.xxxxxivil'.
> --->KMO IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil is linked.
> --->KMO SSL CertificateIP - GARFIELD.xxxxxivil is linked.
> --->KMO DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil is linked.
> --->KMO SSL CertificateDNS - GARFIELD.xxxxxivil is linked.
> Step 3 succeeded.
>
> Step 4 Verifying the KMOs
> ---> Testing KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil'.
> Rights check -- OK.
> Back link -- OK.
> Private Key -- OK.
>
> ---> Testing KMO 'DNS AG garfield\.xxxxxivil\.com\.au -
> GARFIELD.xxxxxivil'.
> Rights check -- OK.
> Back link -- OK.
> Private Key -- OK.
>
> ---> Testing KMO 'SSL CertificateIP - GARFIELD.xxxxxivil'.
> Rights check -- OK.
> Back link -- OK.
> Private Key -- OK.
>
> ---> Testing KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil'.
> Rights check -- OK.
> Back link -- OK.
> Private Key -- OK.
> Step 4 succeeded.
>
> Step 5 Re-verifying the links to the KMOs
> Reading the links for SAS Service object 'SAS Service -
> GARFIELD.xxxxxivil'.
> KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil' is linked.
> KMO 'SSL CertificateIP - GARFIELD.xxxxxivil' is linked.
> KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil' is linked.
> KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil' is linked.
> Step 5 succeeded.
>
> Step 6 Creating IP and DNS Certificates if necessary.
> WARNING: We are not able to determine the IP address of this Server.
>
> This is probably due to either a winsock defect or a IP/DNS
> misconfiguration.
> There are known defects with winsock support.
> Please update to the latest service pack.
>
> PROBLEM: A SSL CertificateIP does not exist
> Step 6 failed -603.
>
>
> Note: Occasionally multiple problems will be solved with a single fix.
>
> Fixable problems found: 1
> Problems fixed: 0
> Un-fixable problems found: 0
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKDXBIAAoJEF+XTK08PnB5kiEP/iikKkRxRSPZampSl+3S4usV
Jq/0OLBosQbwthcy4fg0JDQE2wHw9IM7Ei/Inok1KadrW6WVb6k8MHQxaEXrIQ20
7SWVRa1yp7ZHDfd5wG2GUejQ8pymyZttoY02D91RR/iwi6zuI7EN4j9WWkDBWqpN
hz2tJyCYUQOl4ngWw6C2+YyE/ADsWmnPxqSVmOUoYL2tQX6tbI9MIV+R4Bmzx4gF
/GF7JJaYGZumWSf6BTqja3ZSQ2PCTs/ir8evQ+yDoyYW+jNk3GcSNaY7wFZXtlbL
UCRAgn+/mjxtikLVZ3KpI5TeZTFLNyEzm2hlZVX+O2cqi8R8es6SusXTTTAVDHKb
jbKLYqg/WgkEnHZqrhp+PFry0Y3oJXN7eaNLH19j97mwHPOc9VmiltQnykLFgeZa
iNtZgwW2+kmMFsBH4GXA+bvicwmf22HNyJUVuDPr1x5FAepGN7sBG/BPjXqNKeyF
Z8SMZYEMIwPvWk/D6cddTkEVBOOcpjp5wY4LvI158TlMGAUtg5sVW5ejByuJY88C
CMntuDGMmChiV0ckKNSP+dcUIEBabBV9axFdsIFxQx6ZY2yqfzOe4+U8VPDu7Yyp
4Ck/tttXo61fdBVY6ayhjdk49T7oU8Nxhdt9MtzXNNK3tZW5YeST5zaitwIaBsFL
FV2qxqb5LnwsC6Jam80n
=n1ms
-----END PGP SIGNATURE-----
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSL Certificate Failure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also, does your SAS Service object link to your NCP Server object (Host
Server attribute) and vice versa (SAS:Service DN attribute)?

Good luck.





ab@novell.com wrote:
> Using C1 can you create a cert for this server? Have you tried deleting
> this server's certs and recreating them (also linking them back up with
> the LDAP Server object)?
>
> Good luck.
>
>
>
>
>
> Lou Antonioli wrote:
>> I've installed a new NW65SP8 server into an existing tree. In the same
>> context as this server there are another 2 NW65SP7 servers and 1 OES2
>> Linux server. The new server does not have a replica of an eDir partition.

>
>> After install, Apache would not load and I found that there was a
>> problem with the certificates. I tried to run PKIDIAG to fix the issue
>> but I'm getting error -603 in step 6. Below is the PKIDIAG log (I've
>> removed references to old certs and other servers).

>
>> Using C1 I can create a test cert for the server that is the CA so the
>> CA seems to work OK.

>
>> I can't find any TIDs on this (relating to winsock error/not able to
>> detect IP address). Any help resolving this is greatly appreciated.

>
>> Lou

>
>> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
>> (Check the end of the log for the last repair results)
>> Current Time: Fri May 15 15:41:28 2009
>> User logged-in as: admin.xxxxxivil.
>> Fixing mode
>> Rename and create mode
>> Rename and create when necessary

>
>> --> Server Name = 'GARFIELD'
>> ---------------------------------------------------------------------------

>
>> Step 1 Verifying the Server's link to the SAS Service Object.
>> Server 'GARFIELD.xxxxxivil' points to SAS Service object 'SAS Service
>> - GARFIELD.xxxxxivil'
>> Step 1 succeeded.

>
>> Step 2 Verifying the SAS Service Object
>> SAS Service object 'SAS Service - GARFIELD.xxxxxivil' is backlinked
>> to server 'GARFIELD.xxxxxivil'.
>> Step 2 succeeded.

>
>> Step 3 Verifying the links to the KMOs
>> Reading the links for SAS Service object 'SAS Service -
>> GARFIELD.xxxxxivil'.
>> --->KMO IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil is linked.
>> --->KMO SSL CertificateIP - GARFIELD.xxxxxivil is linked.
>> --->KMO DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil is linked.
>> --->KMO SSL CertificateDNS - GARFIELD.xxxxxivil is linked.
>> Step 3 succeeded.

>
>> Step 4 Verifying the KMOs
>> ---> Testing KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil'.
>> Rights check -- OK.
>> Back link -- OK.
>> Private Key -- OK.

>
>> ---> Testing KMO 'DNS AG garfield\.xxxxxivil\.com\.au -
>> GARFIELD.xxxxxivil'.
>> Rights check -- OK.
>> Back link -- OK.
>> Private Key -- OK.

>
>> ---> Testing KMO 'SSL CertificateIP - GARFIELD.xxxxxivil'.
>> Rights check -- OK.
>> Back link -- OK.
>> Private Key -- OK.

>
>> ---> Testing KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil'.
>> Rights check -- OK.
>> Back link -- OK.
>> Private Key -- OK.
>> Step 4 succeeded.

>
>> Step 5 Re-verifying the links to the KMOs
>> Reading the links for SAS Service object 'SAS Service -
>> GARFIELD.xxxxxivil'.
>> KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil' is linked.
>> KMO 'SSL CertificateIP - GARFIELD.xxxxxivil' is linked.
>> KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil' is linked.
>> KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil' is linked.
>> Step 5 succeeded.

>
>> Step 6 Creating IP and DNS Certificates if necessary.
>> WARNING: We are not able to determine the IP address of this Server.

>
>> This is probably due to either a winsock defect or a IP/DNS
>> misconfiguration.
>> There are known defects with winsock support.
>> Please update to the latest service pack.

>
>> PROBLEM: A SSL CertificateIP does not exist
>> Step 6 failed -603.

>
>
>> Note: Occasionally multiple problems will be solved with a single fix.

>
>> Fixable problems found: 1
>> Problems fixed: 0
>> Un-fixable problems found: 0

>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKDXH2AAoJEF+XTK08PnB5+F0P/2vnViLXap727yYvFKYi2qgA
IxrLf6hmYIUblqY+R2OZ5AbR86WW2tCcwqNZ5CMP+gBAiipMPkY+IBYDl+x9n1pm
FVbBeGwZkzaJnzXfkIdq7Jmj9OJBSuKWzilpbz7D5N2qsww909XUT6bieepKosD2
NyPxIJDIrsAGjMLp4lsL7dXd+TV8NEGKUTRQVF9Wt7xobLF/POWI1jA0wwZ3hf9k
1RF+7VPkrzrCyEA8DwyEGpTw+OI4RIyxbR9G4/YlPwjfK+YQ+fIyI7Owe+yDN+zr
D2FteluyRcYfGe2f/sV7QHao04HN/RwnoDNPObpy73YRBFwI2pIbggGZgEh2rr4H
TlEDlHHf6UAU5S4k1y1yz8WldmPli/Q/+XVtChXnEQEvd21uc4SkIDJRmYdAv8Ak
nbeknFpafilr6ZNcXExODzA6v9UL2AwOHJHhNOxv5mOUreBBSzzbTRtZaQ7aHQhI
+JZpPqygA2vtEM/TDb0bQgA8pFd3D4E7cE/jXarwYyUHQzQBksCa0gdmOAFVlJhX
OqED4SoYga5qbGUPUcSRo2P+jvLJ+MTW95wYEPjRYaznwtG7pvFwiGUjgxY5Al1U
O6+e/mbAg+ZUxDdnc4S6VGiyWnn1ri2oPt4W2IsQXUvhWh8qWwngVvrm4hNRX5Q1
xCriy70RU0aSc7Owp7OH
=nDJR
-----END PGP SIGNATURE-----
0 Likes
lantonioli Absent Member.
Absent Member.

Re: SSL Certificate Failure

ab@novell.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Also, does your SAS Service object link to your NCP Server object (Host
> Server attribute) and vice versa (SAS:Service DN attribute)?
>
> Good luck.
>
>
>
>
>
> ab@novell.com wrote:
>> Using C1 can you create a cert for this server? Have you tried deleting
>> this server's certs and recreating them (also linking them back up with
>> the LDAP Server object)?
>>
>> Good luck.
>>
>>
>>
>>
>>
>> Lou Antonioli wrote:
>>> I've installed a new NW65SP8 server into an existing tree. In the same
>>> context as this server there are another 2 NW65SP7 servers and 1 OES2
>>> Linux server. The new server does not have a replica of an eDir partition.
>>> After install, Apache would not load and I found that there was a
>>> problem with the certificates. I tried to run PKIDIAG to fix the issue
>>> but I'm getting error -603 in step 6. Below is the PKIDIAG log (I've
>>> removed references to old certs and other servers).
>>> Using C1 I can create a test cert for the server that is the CA so the
>>> CA seems to work OK.
>>> I can't find any TIDs on this (relating to winsock error/not able to
>>> detect IP address). Any help resolving this is greatly appreciated.
>>> Lou
>>> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
>>> (Check the end of the log for the last repair results)
>>> Current Time: Fri May 15 15:41:28 2009
>>> User logged-in as: admin.xxxxxivil.
>>> Fixing mode
>>> Rename and create mode
>>> Rename and create when necessary
>>> --> Server Name = 'GARFIELD'
>>> ---------------------------------------------------------------------------
>>> Step 1 Verifying the Server's link to the SAS Service Object.
>>> Server 'GARFIELD.xxxxxivil' points to SAS Service object 'SAS Service
>>> - GARFIELD.xxxxxivil'
>>> Step 1 succeeded.
>>> Step 2 Verifying the SAS Service Object
>>> SAS Service object 'SAS Service - GARFIELD.xxxxxivil' is backlinked
>>> to server 'GARFIELD.xxxxxivil'.
>>> Step 2 succeeded.
>>> Step 3 Verifying the links to the KMOs
>>> Reading the links for SAS Service object 'SAS Service -
>>> GARFIELD.xxxxxivil'.
>>> --->KMO IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil is linked.
>>> --->KMO SSL CertificateIP - GARFIELD.xxxxxivil is linked.
>>> --->KMO DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil is linked.
>>> --->KMO SSL CertificateDNS - GARFIELD.xxxxxivil is linked.
>>> Step 3 succeeded.
>>> Step 4 Verifying the KMOs
>>> ---> Testing KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil'.
>>> Rights check -- OK.
>>> Back link -- OK.
>>> Private Key -- OK.
>>> ---> Testing KMO 'DNS AG garfield\.xxxxxivil\.com\.au -
>>> GARFIELD.xxxxxivil'.
>>> Rights check -- OK.
>>> Back link -- OK.
>>> Private Key -- OK.
>>> ---> Testing KMO 'SSL CertificateIP - GARFIELD.xxxxxivil'.
>>> Rights check -- OK.
>>> Back link -- OK.
>>> Private Key -- OK.
>>> ---> Testing KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil'.
>>> Rights check -- OK.
>>> Back link -- OK.
>>> Private Key -- OK.
>>> Step 4 succeeded.
>>> Step 5 Re-verifying the links to the KMOs
>>> Reading the links for SAS Service object 'SAS Service -
>>> GARFIELD.xxxxxivil'.
>>> KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil' is linked.
>>> KMO 'SSL CertificateIP - GARFIELD.xxxxxivil' is linked.
>>> KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil' is linked.
>>> KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil' is linked.
>>> Step 5 succeeded.
>>> Step 6 Creating IP and DNS Certificates if necessary.
>>> WARNING: We are not able to determine the IP address of this Server.
>>> This is probably due to either a winsock defect or a IP/DNS
>>> misconfiguration.
>>> There are known defects with winsock support.
>>> Please update to the latest service pack.
>>> PROBLEM: A SSL CertificateIP does not exist
>>> Step 6 failed -603.

>>
>>> Note: Occasionally multiple problems will be solved with a single fix.
>>> Fixable problems found: 1
>>> Problems fixed: 0
>>> Un-fixable problems found: 0

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIcBAEBAgAGBQJKDXH2AAoJEF+XTK08PnB5+F0P/2vnViLXap727yYvFKYi2qgA
> IxrLf6hmYIUblqY+R2OZ5AbR86WW2tCcwqNZ5CMP+gBAiipMPkY+IBYDl+x9n1pm
> FVbBeGwZkzaJnzXfkIdq7Jmj9OJBSuKWzilpbz7D5N2qsww909XUT6bieepKosD2
> NyPxIJDIrsAGjMLp4lsL7dXd+TV8NEGKUTRQVF9Wt7xobLF/POWI1jA0wwZ3hf9k
> 1RF+7VPkrzrCyEA8DwyEGpTw+OI4RIyxbR9G4/YlPwjfK+YQ+fIyI7Owe+yDN+zr
> D2FteluyRcYfGe2f/sV7QHao04HN/RwnoDNPObpy73YRBFwI2pIbggGZgEh2rr4H
> TlEDlHHf6UAU5S4k1y1yz8WldmPli/Q/+XVtChXnEQEvd21uc4SkIDJRmYdAv8Ak
> nbeknFpafilr6ZNcXExODzA6v9UL2AwOHJHhNOxv5mOUreBBSzzbTRtZaQ7aHQhI
> +JZpPqygA2vtEM/TDb0bQgA8pFd3D4E7cE/jXarwYyUHQzQBksCa0gdmOAFVlJhX
> OqED4SoYga5qbGUPUcSRo2P+jvLJ+MTW95wYEPjRYaznwtG7pvFwiGUjgxY5Al1U
> O6+e/mbAg+ZUxDdnc4S6VGiyWnn1ri2oPt4W2IsQXUvhWh8qWwngVvrm4hNRX5Q1
> xCriy70RU0aSc7Owp7OH
> =nDJR
> -----END PGP SIGNATURE----


I tried to create a cert for this server with C1, the error was;

there was an error creating the cert. you need to delete the server cert
if it exists and try again. the error code is -603.

however the cert object did get created. The SAS Service object and NCP
server object links are fine (this also shows in the pkidiag log I think).

Thanks for your reply. Any other ideas?

Lou
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSL Certificate Failure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When did you extend schema last? It may be that something new (notBefore
or notAfter perhaps) attributes are being written (or trying to be
written) to the objects by the new PKI or plugin versions but cannot
because of a lack of schema. I don't know which dstrace switch to use to
figure out which attribute is being written but if you have applied any
Security Services patches to your box(es) then check in there for .sch or
..ldif files and import them. If the .sch files have been copied to
sys:/system/schema you can import them via nwconfig I believe.

Good luck.





Lou Antonioli wrote:
> ab@novell.com wrote:
> Also, does your SAS Service object link to your NCP Server object (Host
> Server attribute) and vice versa (SAS:Service DN attribute)?
>
> Good luck.
>
>
>
>
>
> ab@novell.com wrote:
>>>> Using C1 can you create a cert for this server? Have you tried deleting
>>>> this server's certs and recreating them (also linking them back up with
>>>> the LDAP Server object)?
>>>>
>>>> Good luck.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Lou Antonioli wrote:
>>>>> I've installed a new NW65SP8 server into an existing tree. In the same
>>>>> context as this server there are another 2 NW65SP7 servers and 1 OES2
>>>>> Linux server. The new server does not have a replica of an eDir
>>>>> partition.
>>>>> After install, Apache would not load and I found that there was a
>>>>> problem with the certificates. I tried to run PKIDIAG to fix the issue
>>>>> but I'm getting error -603 in step 6. Below is the PKIDIAG log (I've
>>>>> removed references to old certs and other servers).
>>>>> Using C1 I can create a test cert for the server that is the CA so the
>>>>> CA seems to work OK.
>>>>> I can't find any TIDs on this (relating to winsock error/not able to
>>>>> detect IP address). Any help resolving this is greatly appreciated.
>>>>> Lou
>>>>> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
>>>>> (Check the end of the log for the last repair results)
>>>>> Current Time: Fri May 15 15:41:28 2009
>>>>> User logged-in as: admin.xxxxxivil.
>>>>> Fixing mode
>>>>> Rename and create mode
>>>>> Rename and create when necessary
>>>>> --> Server Name = 'GARFIELD'
>>>>> ---------------------------------------------------------------------------
>>>>>
>>>>> Step 1 Verifying the Server's link to the SAS Service Object.
>>>>> Server 'GARFIELD.xxxxxivil' points to SAS Service object 'SAS
>>>>> Service
>>>>> - GARFIELD.xxxxxivil'
>>>>> Step 1 succeeded.
>>>>> Step 2 Verifying the SAS Service Object
>>>>> SAS Service object 'SAS Service - GARFIELD.xxxxxivil' is backlinked
>>>>> to server 'GARFIELD.xxxxxivil'.
>>>>> Step 2 succeeded.
>>>>> Step 3 Verifying the links to the KMOs
>>>>> Reading the links for SAS Service object 'SAS Service -
>>>>> GARFIELD.xxxxxivil'.
>>>>> --->KMO IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil is linked.
>>>>> --->KMO SSL CertificateIP - GARFIELD.xxxxxivil is linked.
>>>>> --->KMO DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil is
>>>>> linked.
>>>>> --->KMO SSL CertificateDNS - GARFIELD.xxxxxivil is linked.
>>>>> Step 3 succeeded.
>>>>> Step 4 Verifying the KMOs
>>>>> ---> Testing KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil'.
>>>>> Rights check -- OK.
>>>>> Back link -- OK.
>>>>> Private Key -- OK.
>>>>> ---> Testing KMO 'DNS AG garfield\.xxxxxivil\.com\.au -
>>>>> GARFIELD.xxxxxivil'.
>>>>> Rights check -- OK.
>>>>> Back link -- OK.
>>>>> Private Key -- OK.
>>>>> ---> Testing KMO 'SSL CertificateIP - GARFIELD.xxxxxivil'.
>>>>> Rights check -- OK.
>>>>> Back link -- OK.
>>>>> Private Key -- OK.
>>>>> ---> Testing KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil'.
>>>>> Rights check -- OK.
>>>>> Back link -- OK.
>>>>> Private Key -- OK.
>>>>> Step 4 succeeded.
>>>>> Step 5 Re-verifying the links to the KMOs
>>>>> Reading the links for SAS Service object 'SAS Service -
>>>>> GARFIELD.xxxxxivil'.
>>>>> KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil' is linked.
>>>>> KMO 'SSL CertificateIP - GARFIELD.xxxxxivil' is linked.
>>>>> KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil' is
>>>>> linked.
>>>>> KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil' is linked.
>>>>> Step 5 succeeded.
>>>>> Step 6 Creating IP and DNS Certificates if necessary.
>>>>> WARNING: We are not able to determine the IP address of this Server.
>>>>> This is probably due to either a winsock defect or a IP/DNS
>>>>> misconfiguration.
>>>>> There are known defects with winsock support.
>>>>> Please update to the latest service pack.
>>>>> PROBLEM: A SSL CertificateIP does not exist
>>>>> Step 6 failed -603.
>>>>
>>>>> Note: Occasionally multiple problems will be solved with a single fix.
>>>>> Fixable problems found: 1
>>>>> Problems fixed: 0
>>>>> Un-fixable problems found: 0


> I tried to create a cert for this server with C1, the error was;


> there was an error creating the cert. you need to delete the server cert
> if it exists and try again. the error code is -603.


> however the cert object did get created. The SAS Service object and NCP
> server object links are fine (this also shows in the pkidiag log I think).


> Thanks for your reply. Any other ideas?


> Lou

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKDynsAAoJEF+XTK08PnB5pv8P/2jkWJWZJgZUGFS+px1nYjyd
JOHmav5SjyFoPLlgKvOtZZi9Zc0lgU+bhHE1hiLSsGAHR3AHyvwXeS24aPq9bSqC
ORa3ubjS3Mtq8uRm1YRGG6wtiZVQ3hrk951fENwEXoJU8dVGtyMtGyJwZs731Xke
J2BMtB0b18MnOPU4PYFnIPwBwdUuwxjnRBa+yUKf8orkH5zdvyQlPaBZJ/fc5v8h
Fhk2FZhDfiXAAu4jiwUfnU2toFerbyl+dV7KJeAmtjG5r5Z8PBBbIGR77r+UowEP
4xP8oEGfs4Cz+PhwvZHsQnKuDpV7R28PKQEX7twzRZiAnmb13Rnr0Olyz6ObtjTu
5mH1m5kJ2yyQ7mbF0e7bri+4yClxivPl1OtwmYOHZY5SckgaQh5ngnUB8/0nwvSS
zioVGOVtkglhVDQVM5NLiAj7UFCf2uBVUTFeLiGz9k2eHthJYIw1PhVQWICiH9ch
X12QA+85eqbDM9mZ6e1ifnJ1BDHr2eaqgshqm2IGshqS+Gswtjynqla57RMoaOXh
11ZQzKKHjZZTtUg/HyRyUn077B6ylF0mqEnjCWMBKMvUXH/aqKhq2+hRvGX5t1QE
/62rVMrlcTah84Sw+f4rAg/ZxgaLLjDSn4e2t49DsQHiICCRzN7HpvmX3uNb6Gaf
oZLZ4lZJtumoyZmUdPXV
=Xfe8
-----END PGP SIGNATURE-----
0 Likes
lantonioli Absent Member.
Absent Member.

Re: SSL Certificate Failure

ab@novell.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> When did you extend schema last? It may be that something new (notBefore
> or notAfter perhaps) attributes are being written (or trying to be
> written) to the objects by the new PKI or plugin versions but cannot
> because of a lack of schema. I don't know which dstrace switch to use to
> figure out which attribute is being written but if you have applied any
> Security Services patches to your box(es) then check in there for .sch or
> .ldif files and import them. If the .sch files have been copied to
> sys:/system/schema you can import them via nwconfig I believe.
>
> Good luck.
>
>
>
>
>
> Lou Antonioli wrote:
>> ab@novell.com wrote:
>> Also, does your SAS Service object link to your NCP Server object (Host
>> Server attribute) and vice versa (SAS:Service DN attribute)?
>>
>> Good luck.
>>
>>
>>
>>
>>
>> ab@novell.com wrote:
>>>>> Using C1 can you create a cert for this server? Have you tried deleting
>>>>> this server's certs and recreating them (also linking them back up with
>>>>> the LDAP Server object)?
>>>>>
>>>>> Good luck.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Lou Antonioli wrote:
>>>>>> I've installed a new NW65SP8 server into an existing tree. In the same
>>>>>> context as this server there are another 2 NW65SP7 servers and 1 OES2
>>>>>> Linux server. The new server does not have a replica of an eDir
>>>>>> partition.
>>>>>> After install, Apache would not load and I found that there was a
>>>>>> problem with the certificates. I tried to run PKIDIAG to fix the issue
>>>>>> but I'm getting error -603 in step 6. Below is the PKIDIAG log (I've
>>>>>> removed references to old certs and other servers).
>>>>>> Using C1 I can create a test cert for the server that is the CA so the
>>>>>> CA seems to work OK.
>>>>>> I can't find any TIDs on this (relating to winsock error/not able to
>>>>>> detect IP address). Any help resolving this is greatly appreciated.
>>>>>> Lou
>>>>>> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
>>>>>> (Check the end of the log for the last repair results)
>>>>>> Current Time: Fri May 15 15:41:28 2009
>>>>>> User logged-in as: admin.xxxxxivil.
>>>>>> Fixing mode
>>>>>> Rename and create mode
>>>>>> Rename and create when necessary
>>>>>> --> Server Name = 'GARFIELD'
>>>>>> ---------------------------------------------------------------------------
>>>>>>
>>>>>> Step 1 Verifying the Server's link to the SAS Service Object.
>>>>>> Server 'GARFIELD.xxxxxivil' points to SAS Service object 'SAS
>>>>>> Service
>>>>>> - GARFIELD.xxxxxivil'
>>>>>> Step 1 succeeded.
>>>>>> Step 2 Verifying the SAS Service Object
>>>>>> SAS Service object 'SAS Service - GARFIELD.xxxxxivil' is backlinked
>>>>>> to server 'GARFIELD.xxxxxivil'.
>>>>>> Step 2 succeeded.
>>>>>> Step 3 Verifying the links to the KMOs
>>>>>> Reading the links for SAS Service object 'SAS Service -
>>>>>> GARFIELD.xxxxxivil'.
>>>>>> --->KMO IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil is linked.
>>>>>> --->KMO SSL CertificateIP - GARFIELD.xxxxxivil is linked.
>>>>>> --->KMO DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil is
>>>>>> linked.
>>>>>> --->KMO SSL CertificateDNS - GARFIELD.xxxxxivil is linked.
>>>>>> Step 3 succeeded.
>>>>>> Step 4 Verifying the KMOs
>>>>>> ---> Testing KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil'.
>>>>>> Rights check -- OK.
>>>>>> Back link -- OK.
>>>>>> Private Key -- OK.
>>>>>> ---> Testing KMO 'DNS AG garfield\.xxxxxivil\.com\.au -
>>>>>> GARFIELD.xxxxxivil'.
>>>>>> Rights check -- OK.
>>>>>> Back link -- OK.
>>>>>> Private Key -- OK.
>>>>>> ---> Testing KMO 'SSL CertificateIP - GARFIELD.xxxxxivil'.
>>>>>> Rights check -- OK.
>>>>>> Back link -- OK.
>>>>>> Private Key -- OK.
>>>>>> ---> Testing KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil'.
>>>>>> Rights check -- OK.
>>>>>> Back link -- OK.
>>>>>> Private Key -- OK.
>>>>>> Step 4 succeeded.
>>>>>> Step 5 Re-verifying the links to the KMOs
>>>>>> Reading the links for SAS Service object 'SAS Service -
>>>>>> GARFIELD.xxxxxivil'.
>>>>>> KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil' is linked.
>>>>>> KMO 'SSL CertificateIP - GARFIELD.xxxxxivil' is linked.
>>>>>> KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil' is
>>>>>> linked.
>>>>>> KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil' is linked.
>>>>>> Step 5 succeeded.
>>>>>> Step 6 Creating IP and DNS Certificates if necessary.
>>>>>> WARNING: We are not able to determine the IP address of this Server.
>>>>>> This is probably due to either a winsock defect or a IP/DNS
>>>>>> misconfiguration.
>>>>>> There are known defects with winsock support.
>>>>>> Please update to the latest service pack.
>>>>>> PROBLEM: A SSL CertificateIP does not exist
>>>>>> Step 6 failed -603.
>>>>>> Note: Occasionally multiple problems will be solved with a single fix.
>>>>>> Fixable problems found: 1
>>>>>> Problems fixed: 0
>>>>>> Un-fixable problems found: 0

>
>> I tried to create a cert for this server with C1, the error was;

>
>> there was an error creating the cert. you need to delete the server cert
>> if it exists and try again. the error code is -603.

>
>> however the cert object did get created. The SAS Service object and NCP
>> server object links are fine (this also shows in the pkidiag log I think).

>
>> Thanks for your reply. Any other ideas?

>
>> Lou

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIcBAEBAgAGBQJKDynsAAoJEF+XTK08PnB5pv8P/2jkWJWZJgZUGFS+px1nYjyd
> JOHmav5SjyFoPLlgKvOtZZi9Zc0lgU+bhHE1hiLSsGAHR3AHyvwXeS24aPq9bSqC
> ORa3ubjS3Mtq8uRm1YRGG6wtiZVQ3hrk951fENwEXoJU8dVGtyMtGyJwZs731Xke
> J2BMtB0b18MnOPU4PYFnIPwBwdUuwxjnRBa+yUKf8orkH5zdvyQlPaBZJ/fc5v8h
> Fhk2FZhDfiXAAu4jiwUfnU2toFerbyl+dV7KJeAmtjG5r5Z8PBBbIGR77r+UowEP
> 4xP8oEGfs4Cz+PhwvZHsQnKuDpV7R28PKQEX7twzRZiAnmb13Rnr0Olyz6ObtjTu
> 5mH1m5kJ2yyQ7mbF0e7bri+4yClxivPl1OtwmYOHZY5SckgaQh5ngnUB8/0nwvSS
> zioVGOVtkglhVDQVM5NLiAj7UFCf2uBVUTFeLiGz9k2eHthJYIw1PhVQWICiH9ch
> X12QA+85eqbDM9mZ6e1ifnJ1BDHr2eaqgshqm2IGshqS+Gswtjynqla57RMoaOXh
> 11ZQzKKHjZZTtUg/HyRyUn077B6ylF0mqEnjCWMBKMvUXH/aqKhq2+hRvGX5t1QE
> /62rVMrlcTah84Sw+f4rAg/ZxgaLLjDSn4e2t49DsQHiICCRzN7HpvmX3uNb6Gaf
> oZLZ4lZJtumoyZmUdPXV
> =Xfe8
> -----END PGP SIGNATURE-----


I believe the schema was updated during the install of this server
(there was a message on the screen when the server joined the tree that
the schema was being extended). I haven't applied any Security Services
patches. The new server has eDir 8.8SP4. The CA server has eDir 8.7.3.9.
I'm not sure if this sheds any more light on the issue. Thanks again for
your help

Lou
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSL Certificate Failure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Right, your new server probably knows about new schema that the old server
does not, but upon not finding it in the existing tree it's throwing the
- -603. This is still a guess, but it's all I can think up without a trace
showing exactly what is happening when the -603 is returned. Try the
extending schema option in nwconfig on the 8.8.4 box. Make sure that box
has a replica of [root] before doing so, though.

Good luck.





Lou Antonioli wrote:
> ab@novell.com wrote:
> When did you extend schema last? It may be that something new (notBefore
> or notAfter perhaps) attributes are being written (or trying to be
> written) to the objects by the new PKI or plugin versions but cannot
> because of a lack of schema. I don't know which dstrace switch to use to
> figure out which attribute is being written but if you have applied any
> Security Services patches to your box(es) then check in there for .sch or
> .ldif files and import them. If the .sch files have been copied to
> sys:/system/schema you can import them via nwconfig I believe.
>
> Good luck.
>
>
>
>
>
> Lou Antonioli wrote:
>>>> ab@novell.com wrote:
>>>> Also, does your SAS Service object link to your NCP Server object (Host
>>>> Server attribute) and vice versa (SAS:Service DN attribute)?
>>>>
>>>> Good luck.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ab@novell.com wrote:
>>>>>>> Using C1 can you create a cert for this server? Have you tried
>>>>>>> deleting
>>>>>>> this server's certs and recreating them (also linking them back up
>>>>>>> with
>>>>>>> the LDAP Server object)?
>>>>>>>
>>>>>>> Good luck.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Lou Antonioli wrote:
>>>>>>>> I've installed a new NW65SP8 server into an existing tree. In the
>>>>>>>> same
>>>>>>>> context as this server there are another 2 NW65SP7 servers and 1
>>>>>>>> OES2
>>>>>>>> Linux server. The new server does not have a replica of an eDir
>>>>>>>> partition.
>>>>>>>> After install, Apache would not load and I found that there was a
>>>>>>>> problem with the certificates. I tried to run PKIDIAG to fix the
>>>>>>>> issue
>>>>>>>> but I'm getting error -603 in step 6. Below is the PKIDIAG log (I've
>>>>>>>> removed references to old certs and other servers).
>>>>>>>> Using C1 I can create a test cert for the server that is the CA
>>>>>>>> so the
>>>>>>>> CA seems to work OK.
>>>>>>>> I can't find any TIDs on this (relating to winsock error/not able to
>>>>>>>> detect IP address). Any help resolving this is greatly appreciated.
>>>>>>>> Lou
>>>>>>>> PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
>>>>>>>> (Check the end of the log for the last repair results)
>>>>>>>> Current Time: Fri May 15 15:41:28 2009
>>>>>>>> User logged-in as: admin.xxxxxivil.
>>>>>>>> Fixing mode
>>>>>>>> Rename and create mode
>>>>>>>> Rename and create when necessary
>>>>>>>> --> Server Name = 'GARFIELD'
>>>>>>>> ---------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> Step 1 Verifying the Server's link to the SAS Service Object.
>>>>>>>> Server 'GARFIELD.xxxxxivil' points to SAS Service object 'SAS
>>>>>>>> Service
>>>>>>>> - GARFIELD.xxxxxivil'
>>>>>>>> Step 1 succeeded.
>>>>>>>> Step 2 Verifying the SAS Service Object
>>>>>>>> SAS Service object 'SAS Service - GARFIELD.xxxxxivil' is
>>>>>>>> backlinked
>>>>>>>> to server 'GARFIELD.xxxxxivil'.
>>>>>>>> Step 2 succeeded.
>>>>>>>> Step 3 Verifying the links to the KMOs
>>>>>>>> Reading the links for SAS Service object 'SAS Service -
>>>>>>>> GARFIELD.xxxxxivil'.
>>>>>>>> --->KMO IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil is linked.
>>>>>>>> --->KMO SSL CertificateIP - GARFIELD.xxxxxivil is linked.
>>>>>>>> --->KMO DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil is
>>>>>>>> linked.
>>>>>>>> --->KMO SSL CertificateDNS - GARFIELD.xxxxxivil is linked.
>>>>>>>> Step 3 succeeded.
>>>>>>>> Step 4 Verifying the KMOs
>>>>>>>> ---> Testing KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil'.
>>>>>>>> Rights check -- OK.
>>>>>>>> Back link -- OK.
>>>>>>>> Private Key -- OK.
>>>>>>>> ---> Testing KMO 'DNS AG garfield\.xxxxxivil\.com\.au -
>>>>>>>> GARFIELD.xxxxxivil'.
>>>>>>>> Rights check -- OK.
>>>>>>>> Back link -- OK.
>>>>>>>> Private Key -- OK.
>>>>>>>> ---> Testing KMO 'SSL CertificateIP - GARFIELD.xxxxxivil'.
>>>>>>>> Rights check -- OK.
>>>>>>>> Back link -- OK.
>>>>>>>> Private Key -- OK.
>>>>>>>> ---> Testing KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil'.
>>>>>>>> Rights check -- OK.
>>>>>>>> Back link -- OK.
>>>>>>>> Private Key -- OK.
>>>>>>>> Step 4 succeeded.
>>>>>>>> Step 5 Re-verifying the links to the KMOs
>>>>>>>> Reading the links for SAS Service object 'SAS Service -
>>>>>>>> GARFIELD.xxxxxivil'.
>>>>>>>> KMO 'IP AG 192\.168\.0\.100 - GARFIELD.xxxxxivil' is linked.
>>>>>>>> KMO 'SSL CertificateIP - GARFIELD.xxxxxivil' is linked.
>>>>>>>> KMO 'DNS AG garfield\.xxxxxivil\.com\.au - GARFIELD.xxxxxivil' is
>>>>>>>> linked.
>>>>>>>> KMO 'SSL CertificateDNS - GARFIELD.xxxxxivil' is linked.
>>>>>>>> Step 5 succeeded.
>>>>>>>> Step 6 Creating IP and DNS Certificates if necessary.
>>>>>>>> WARNING: We are not able to determine the IP address of this Server.
>>>>>>>> This is probably due to either a winsock defect or a IP/DNS
>>>>>>>> misconfiguration.
>>>>>>>> There are known defects with winsock support.
>>>>>>>> Please update to the latest service pack.
>>>>>>>> PROBLEM: A SSL CertificateIP does not exist
>>>>>>>> Step 6 failed -603.
>>>>>>>> Note: Occasionally multiple problems will be solved with a single
>>>>>>>> fix.
>>>>>>>> Fixable problems found: 1
>>>>>>>> Problems fixed: 0
>>>>>>>> Un-fixable problems found: 0

>
>>>> I tried to create a cert for this server with C1, the error was;

>
>>>> there was an error creating the cert. you need to delete the server cert
>>>> if it exists and try again. the error code is -603.

>
>>>> however the cert object did get created. The SAS Service object and NCP
>>>> server object links are fine (this also shows in the pkidiag log I
>>>> think).

>
>>>> Thanks for your reply. Any other ideas?

>
>>>> Lou


> I believe the schema was updated during the install of this server
> (there was a message on the screen when the server joined the tree that
> the schema was being extended). I haven't applied any Security Services
> patches. The new server has eDir 8.8SP4. The CA server has eDir 8.7.3.9.
> I'm not sure if this sheds any more light on the issue. Thanks again for
> your help


> Lou

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKEGmUAAoJEF+XTK08PnB5Z+EP/j03vPVzOkfB6omU58yJlnKd
vqkC+6IgLED+KToaR2pheCsBAb6XZGUu0Oe0dpVJVeLtLyWnQUYhXJRErs6df6/t
i/ECs0uAdxntOx914jySpa+DCOJXIdVZQbyjlFbiHn8oK78ipHtw3P52UwkJ9aAw
8agT+dZGKQehtsKu4MHXi93b/oS13qH42IaAYU8hUO+TH5k2MrI+FWW6MpvVRbeA
rez5W85FVh/dYd7epM8TAYxkhU/DU0gMSorW4EvJj05KxGDnX6hn8ECZ6OkaGa0Z
BqY/oAmcMrUMkKDb41lR53XX2P7zc/OSXFBw7aWzxm2mUqHOQRn7G6M83dCRtaeO
yJyxoXf6+nI7OBlkda21/xW+AgOS8784UDeRvpITTrd+8U9NtnujWEoNrDZpYbOs
urjIy8w8uXxEtGzgh4/D+GN9nj5IQQ1aifK5mv5cEhSkJLWhTAmgVOdJDSqQFrnd
3LpRXUSssJKRNIkGbBvz5oB64zS5fBZ4JCLUwot98bODGOb0vw2Qo+Pl6jM5V0zv
5+qmTS1QxeNiCC3svWCN4HprTcmaGxVUFXlWx9glG6B2fUxatSPLe2gui0Ghyqxo
SBFQij9Hlq0n8YJo3QltGARjY2V4fvPEoz9GRyg1iCPttZ9BRk0hANeGINK2jj2D
0mHqB7BgVVn+8P6KzlrC
=6Eb3
-----END PGP SIGNATURE-----
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSL Certificate Failure

ab@novell.com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Right, your new server probably knows about new schema that the old
> server does not, but upon not finding it in the existing tree it's
> throwing the - -603. This is still a guess, but it's all I can think
> up without a trace showing exactly what is happening when the -603 is
> returned. Try the extending schema option in nwconfig on the 8.8.4
> box. Make sure that box has a replica of [root] before doing so,
> though.


I've seen a 603 error a few times recreatign certs. Blow away the
existing cert that has expired. That fixed my issue.


--
Cheers,
Edward
0 Likes
lantonioli Absent Member.
Absent Member.

Re: SSL Certificate Failure

Edward van der Maas wrote:
> ab@novell.com wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Right, your new server probably knows about new schema that the old
>> server does not, but upon not finding it in the existing tree it's
>> throwing the - -603. This is still a guess, but it's all I can think
>> up without a trace showing exactly what is happening when the -603 is
>> returned. Try the extending schema option in nwconfig on the 8.8.4
>> box. Make sure that box has a replica of [root] before doing so,
>> though.

>
> I've seen a 603 error a few times recreatign certs. Blow away the
> existing cert that has expired. That fixed my issue.
>
>

Thanks guys. None of the certs for this new server (as viewed in C1)
have a trusted root or a public cert. Even though the KMO object is
there the certs are not listed in the objects. And any new "test" cert I
create for this new server has the same issue.

In trying to extend the schema, what about upgrading eDir to 8.8.4 on
the CA server (also has master replica)? I'm trying to avoid having a
replica on this new server for the moment. Thanks again

Lou
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SSL Certificate Failure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

8.8.4 only comes w/OES 2 SP1 (including NW 6.5.8 I believe if you upgrade
to that after already having eDir 8.8.x or install NW 6.5.8 fresh) so your
best bet to get that is to have the latest OS there. eDir 8.8.5 will be
available for all platforms and should be out this quarter.

Good luck.





Lou Antonioli wrote:
> Edward van der Maas wrote:
>> ab@novell.com wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Right, your new server probably knows about new schema that the old
>>> server does not, but upon not finding it in the existing tree it's
>>> throwing the - -603. This is still a guess, but it's all I can think
>>> up without a trace showing exactly what is happening when the -603 is
>>> returned. Try the extending schema option in nwconfig on the 8.8.4
>>> box. Make sure that box has a replica of [root] before doing so,
>>> though.

>>
>> I've seen a 603 error a few times recreatign certs. Blow away the
>> existing cert that has expired. That fixed my issue.
>>
>>

> Thanks guys. None of the certs for this new server (as viewed in C1)
> have a trusted root or a public cert. Even though the KMO object is
> there the certs are not listed in the objects. And any new "test" cert I
> create for this new server has the same issue.
>
> In trying to extend the schema, what about upgrading eDir to 8.8.4 on
> the CA server (also has master replica)? I'm trying to avoid having a
> replica on this new server for the moment. Thanks again
>
> Lou

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKEV0HAAoJEF+XTK08PnB5IK4P+wUUEsuuyZxuQ9SAESmIgODQ
8cVDkY3PA6y/x/XLGRPnNQhMxFzqd/tBusKC/Ws6r/LFFatn5pM0U7dCsgWIoXr4
sgidwJsrrZ8q1v6hzZ2HtXxcfPihRh9QKuxWtkPIpS/K4SWOu+Ua5/e6AF92Djz/
MwmLIotgj9mFYIIyOLfh6EdSqgGhD4qkC+g/QA09xvgzirx5TAayEtanzsax5n8T
1ErpchcfkHZXJ/aZTNM1mcWIowJWpbsgeE9Ji7rPyI5BzBtz6Rene2DaIaVuD8Dh
F+0Lq6mbAe6KEktondW9lh+D/6ZHFl24Rk6ZLJ007VZINRcotBE5JYXVQ9nkX20i
+7hw2pxN1tIxijqIZscE4s6qrgn8nQd6gpPzTk99+xGtaRiZ58DwzefJq95VJdzk
te+Obfho0nDRo7yxX80Vr8skZoczXWUXGXF71jTUwLml590FROTk32AEmiuIeKll
/HPEwj8j4Uf55QSy3FS0HY7mhS6rOG1ESIpItvz9JHCo0D+f7dHAHYOxBdDmuyRl
yzm2mbaaRBE3tJ+z5yPlSO2oPvG0+McGQnCq45nt8W9xVN5pAp72JLLmdq7DpPXr
cGiuhARAI7qo1pMAt9hDxT970H2Mc987y+w+tfUGMdk5opPmFHq1JoXY0CBs5aFf
EKepwhjY3xG0wklB3GLc
=XIFB
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.