Highlighted
Absent Member.
Absent Member.
4503 views

iPrint Certificate Problems

Our original CA finally expired last week. We had to renew the CA and then renew all server certificates. Everything seems fine now except for iPrint management on some servers.

When we try to access https://server_ip/psmstatus, it prompts us to accept the new certificate (which is correct), asks us to login, but then gives a "Server error 500". The Apache error_log shows "authnz_ldapdn authenticate: Hint: This could be because of certificate verification failure. See TID 7002848 for more details." I've tried every trick I can think of, but cannot figure it out. NLDAP is running properly using SSL, Apache is using the new certificates. I've checked iprint_ssl.conf and iprint_g.conf in /etc/opt/novell/iprint/httpd/conf and they match our other servers that work (other than the server name/ip). I exported the SSL Certificate DNS from iManager and used the Cool Solutions certificate recreation script on the .pfx file, but no luck there either. I finally used YaST to reconfigure both LDAP and iPrint, but that did not help either.

The TID referenced in the error_log just points back to the steps I have already followed. I am out of ideas now.
Labels (2)
0 Likes
8 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: iPrint Certificate Problems

jmlester;2322435 wrote:
Our original CA finally expired last week. We had to renew the CA and then renew all server certificates. Everything seems fine now except for iPrint management on some servers.

When we try to access https://server_ip/psmstatus, it prompts us to accept the new certificate (which is correct), asks us to login, but then gives a "Server error 500". The Apache error_log shows "authnz_ldapdn authenticate: Hint: This could be because of certificate verification failure. See TID 7002848 for more details." I've tried every trick I can think of, but cannot figure it out. NLDAP is running properly using SSL, Apache is using the new certificates. I've checked iprint_ssl.conf and iprint_g.conf in /etc/opt/novell/iprint/httpd/conf and they match our other servers that work (other than the server name/ip). I exported the SSL Certificate DNS from iManager and used the Cool Solutions certificate recreation script on the .pfx file, but no luck there either. I finally used YaST to reconfigure both LDAP and iPrint, but that did not help either.

The TID referenced in the error_log just points back to the steps I have already followed. I am out of ideas now.


Yes, you will get those

The only way WE have found to fix that (note, this is disruptive since it causes a reload of eDir which will disrupt your NCP connections to the server):

1) You need to forcibly replace your server certs if not already done (in iManager, select the option to replace even if they're not expired/invalid, etc.)
2) rcndsd restart (which will also restart nldap)--THIS IS DISRUPTIVE!!!
3) namconfig -k
4) rcnamcd restart (this will update the cache)

You MAY need to reload iPrint, but I don't think so:
rcnovell-ipsmd restart

Then the error should go away.

This assumes OES of course. We've had this on OES2, OES11, OES11 SP1 as well
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: iPrint Certificate Problems

Thanks for the suggestions, but that didn't fix it. I even bounced the server afterwards just to see if that would help. We're a K-12 school system, so no one really in the building now. The servers are all OES11SP3, mostly upgraded from SP2 originally. Any other suggestions on where to look?
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: iPrint Certificate Problems

Am 2014-06-12 16:06, schrieb kjhurni:
>
> jmlester;2322435 Wrote:
>> Our original CA finally expired last week. We had to renew the CA and
>> then renew all server certificates. Everything seems fine now except
>> for iPrint management on some servers.
>>
>> When we try to access https://server_ip/psmstatus, it prompts us to
>> accept the new certificate (which is correct), asks us to login, but
>> then gives a "Server error 500". The Apache error_log shows
>> "authnz_ldapdn authenticate: Hint: This could be because of certificate
>> verification failure. See TID 7002848 for more details." I've tried
>> every trick I can think of, but cannot figure it out. NLDAP is running
>> properly using SSL, Apache is using the new certificates. I've checked
>> iprint_ssl.conf and iprint_g.conf in /etc/opt/novell/iprint/httpd/conf
>> and they match our other servers that work (other than the server
>> name/ip). I exported the SSL Certificate DNS from iManager and used the
>> Cool Solutions certificate recreation script on the .pfx file, but no
>> luck there either. I finally used YaST to reconfigure both LDAP and
>> iPrint, but that did not help either.
>>
>> The TID referenced in the error_log just points back to the steps I have
>> already followed. I am out of ideas now.

>
> Yes, you will get those
>
> The only way WE have found to fix that (note, this is disruptive since
> it causes a reload of eDir which will disrupt your NCP connections to
> the server):
>
> 1) You need to forcibly replace your server certs if not already done
> (in iManager, select the option to replace even if they're not
> expired/invalid, etc.)
> 2) rcndsd restart (which will also restart nldap)--THIS IS
> DISRUPTIVE!!!
> 3) namconfig -k
> 4) rcnamcd restart (this will update the cache)
>
> You MAY need to reload iPrint, but I don't think so:
> rcnovell-ipsmd restart
>
> Then the error should go away.
>
> This assumes OES of course. We've had this on OES2, OES11, OES11 SP1 as
> well


You maybe able to avoid "rcndsd restart" with this procedure:

1) iManager/Novell Certificate Server/Configure Certificate Authority:
Check "Enable server self-provisioning" (in the CA switch case,
maybe check "Health Check - Force default certificate creation/update on
CA change" too)
2) ndstrace -c "unload pkiserver"
3) ndstrace -c "load pkiserver"
4) nldap -u
5) nldap -l
6) namconfig -k; rcnamcd restart; rcapache2 restart; rcnovell-tomcat6
restart

Repeat 2) - 6) on each affected OES server (probably starting with the
CA if it also needs new server certificates). This worked for me with
OES11SP2.

Franz.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: iPrint Certificate Problems

That didn't work either. I think I see the problem now though, but I don't know how to fix it. If I run

certmgr -ssl ldaps://server_ip:636 -c -m Trust

I get:

Self-signed X.509 Certificate v3
Issued from: OU=Organizational CA, O=WCVAPS
Issued to: OU=Organizational CA, O=WCVAPS
Valid from: 06/09/2004 10:56:52
Valid until: 06/09/2014 10:56:52
*** WARNING: Certificate isn't current ***

So, I guess LDAP on this particular server is still holding onto the old expired CA? If I run that same command against one of the servers that is working, I get:

Self-signed X.509 Certificate v3
Issued from: O=WCVAPS, OU=Organizational CA
Issued to: O=WCVAPS, OU=Organizational CA
Valid from: 06/09/2014 16:09:48
Valid until: 06/09/2024 16:09:48
This certificate is already in the Trust store.

I ran the Repair Default Certificates again, but same results. I even ran ndsconfig upgrade, but still the same thing. How can I force it to the new CA?

Thanks,
Jason
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: iPrint Certificate Problems

Well, I think I found the problem after reading this article:

https://www.netiq.com/communities/cool-solutions/cleaning-after-losing-your-ca/

On the LDAP Server object under Connections, the problem servers were all set to use the "SSL CertificateIP" certificate. Apparently, OES no longer creates that one by default and the old one expired at the same time the DNS one did. Switching the certificate to the new "SSL CertificateDNS", running "certmgr -ssl ldaps://server_ip:636 -c -m Trust" followed by restarting both NLDAP and Apache fixed the problem.

Thanks,
Jason
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: iPrint Certificate Problems

jmlester;2322497 wrote:
Well, I think I found the problem after reading this article:

https://www.netiq.com/communities/cool-solutions/cleaning-after-losing-your-ca/

On the LDAP Server object under Connections, the problem servers were all set to use the "SSL CertificateIP" certificate. Apparently, OES no longer creates that one by default and the old one expired at the same time the DNS one did. Switching the certificate to the new "SSL CertificateDNS", running "certmgr -ssl ldaps://server_ip:636 -c -m Trust" followed by restarting both NLDAP and Apache fixed the problem.

Thanks,
Jason


Odd, it's always created both the CertficateIP and CertifcateDNS for me when I chose the option in iManager to forcibly overwrite them.
But glad you got it working anyway.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: iPrint Certificate Problems

I found something on their site about it, maybe it changed in SP3? None of mine create the IP one now and they are all at SP3. They always did both before though.

The steps above fixed all but one server. I'm still stumped on it, but quitting for the day. I may have to open an SR on it since I've exhausted just about everything at this point. I'm down from 9 not working to just 1 though, so that's pretty good.

Jason
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: iPrint Certificate Problems

Am 2014-06-12 22:46, schrieb kjhurni:
>
> jmlester;2322497 Wrote:
>> Well, I think I found the problem after reading this article:
>>
>> https://www.netiq.com/communities/cool-solutions/cleaning-after-losing-your-ca/
>>
>> On the LDAP Server object under Connections, the problem servers were
>> all set to use the "SSL CertificateIP" certificate. Apparently, OES no
>> longer creates that one by default and the old one expired at the same
>> time the DNS one did. Switching the certificate to the new "SSL
>> CertificateDNS", running "certmgr -ssl ldaps://server_ip:636 -c -m
>> Trust" followed by restarting both NLDAP and Apache fixed the problem.
>>
>> Thanks,
>> Jason

>
> Odd, it's always created both the CertficateIP and CertifcateDNS for me
> when I chose the option in iManager to forcibly overwrite them.
> But glad you got it working anyway.


I don't know when exactly it changed, but iManager running on up-to-date
patched OES11SP2 doesn't create or update "SSL CertificateIP" anymore.
That confused me like hell recently, because all the other certs where
updated fine, but "SSL CertificateIP" still listed as "invalid". When
using iManager on our last OES2SP3 server though, it updated all the
certs just fine. So it seems to be related to the iManager/eDir version
involved.

Franz

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.