Anonymous_User Absent Member.
Absent Member.
2906 views

ifolder configuration error - please help

I am trying to configure ifolder, and got the following error

Self-signed X.509 Certificate v3
Issued from: OU=Organizational CA, O=MYTEST_TREE
Issued to: OU=Organizational CA, O=MYTEST_TREE
Valid from: 01/31/2010 01:22:59
Valid until: 01/31/2020 01:22:59


----- ACCEPT LDAP CERTIFICATE -----


Accept LDAP Certificate? :
Done
Connecting to ldaps://192.168.0.7/...Detected errors in the Server Certificate:
-2146762481
-2146762495
Done
Querying for directory type...get directory type


here never got the prompt back, I have to press CTRL+C to quit.

here are the details
OS: SLES 10 SP3 i586

# cat /etc/hosts

127.0.0.2 gateway.mytest.com gateway mytest MYTEST_TREE

192.168.0.7 gateway.mytest.com gateway mytest MYTEST_TREE

# cat /etc/hosts.nds
MYTEST_TREE. 192.168.0.7

# rcndsd status
Tree Name: MYTEST_TREE
Server Name: .CN=gateway.O=mytest.T=MYTEST_TREE.
Binary Version: 20219.15
Root Most Entry Depth: 0
Product Version: eDirectory for Linux v8.8 SP5 [DS]

Regards
needee
Labels (1)
0 Likes
5 Replies
Rachelsdad Absent Member.
Absent Member.

Re: ifolder configuration error - please help

needee;1926093 wrote:
I am trying to configure ifolder, and got the following error

Self-signed X.509 Certificate v3
Issued from: OU=Organizational CA, O=MYTEST_TREE
Issued to: OU=Organizational CA, O=MYTEST_TREE
Valid from: 01/31/2010 01:22:59
Valid until: 01/31/2020 01:22:59


----- ACCEPT LDAP CERTIFICATE -----


Accept LDAP Certificate? :
Done
Connecting to ldaps://192.168.0.7/...Detected errors in the Server Certificate:
-2146762481
-2146762495
Done
Querying for directory type...get directory type



Hmmm... Does this message help at all?

While your cert surely hasn't expired, perhaps there's an old one cached somewhere or something isn't quite right with your new one.

HTH

Lewis G Rosenthal, CNA, CLP, CLE, CWTS Rosenthal & Rosenthal, LLC www.2rosenthals.com
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ifolder configuration error - please help

Hi thanks for the help dear

>While your cert surely hasn't expired, perhaps there's an old one cached somewhere
This is a fresh install... so chance of "old one cached somewhere". is very rare/hard.

>or something isn't quite right with your new one.
so how can I check it ? no eDirectory expertise here ;(

I installed the OS from scratch, installed eDirectory with a new/diff tree and organization name

edif:~ # rcndsd status
Tree Name: PKNDS_TREE
Server Name: .CN=edif.O=pknds.T=PKNDS_TREE.
Binary Version: 20219.15
Root Most Entry Depth: 0
Product Version: eDirectory for Linux v8.8 SP5 [DS]

edif:~ # cat /etc/hosts
127.0.0.1 localhost
192.168.0.254 edif.pknds edif

edif:~ # cat /etc/hosts.nds
pknds_tree. 192.168.0.254


edif:~ # certmgr -ssl ldaps://edif.pknds:636
Mono Certificate Manager - version 1.2.6.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2007 Novell. BSD licensed.


Self-signed X.509 Certificate v3
Issued from: OU=Organizational CA, O=PKNDS_TREE
Issued to: OU=Organizational CA, O=PKNDS_TREE
Valid from: 02/01/2010 23:13:30
Valid until: 02/01/2020 23:13:30
Import this certificate into the Trust store ?y

X.509 Certificate v3
Issued from: OU=Organizational CA, O=PKNDS_TREE
Issued to: O=PKNDS_TREE, CN=edif.pknds
Valid from: 02/03/2010 21:13:32
Valid until: 02/03/2012 21:13:32
*** WARNING: Certificate isn't current ***
Import this certificate into the AddressBook store ?y

2 certificates added to the stores.


and following is the output of /usr/bin/simias-server-setup


Configuring /var/simias/data/simias/Simias.config...SetupSimias - Done
Configuring /etc/apache2/conf.d/simias.conf...Done
Installing certificate from ldaps://edif.pknds/...
Ldap certificate :

Mono Certificate Manager - version 1.2.6.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2007 Novell. BSD licensed.


Self-signed X.509 Certificate v3
Issued from: OU=Organizational CA, O=PKNDS_TREE
Issued to: OU=Organizational CA, O=PKNDS_TREE
Valid from: 02/01/2010 23:13:30
Valid until: 02/01/2020 23:13:30


----- ACCEPT LDAP CERTIFICATE -----


Accept LDAP Certificate? : Y
Done
Connecting to ldaps://edif.pknds/...Detected errors in the Server Certificate:
-2146762495
Failed

LdapException: (91) Connect Error
System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server.
at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000]
at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000]
at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000]
at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000]
at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] --- End of inner exception stack trace ---

at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000]
at Novell.Directory.Ldap.LdapResponse.chkResultCode () [0x00000]
at Novell.Directory.Ldap.LdapConnection.chkResultCode (Novell.Directory.Ldap.LdapMessageQueue queue, Novell.Directory.Ldap.LdapConstraints cons, Novell.Directory.Ldap.LdapResponse response) [0x00000]
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, System.String dn, System.SByte[] passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00000]
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, System.String dn, System.String passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00000]
at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd, AuthenticationTypes authenticationTypes) [0x00000]
at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd) [0x00000]
at Novell.iFolder.Utility.LdapUtility.Connect () [0x00000]
at Novell.iFolder.SimiasServerSetup.SetupLdap () [0x00000]
at Novell.iFolder.SimiasServerSetup.Configure () [0x00000]
at Novell.iFolder.SimiasServerSetup.Main (System.String[] args) [0x00000]

FAILED

please help
0 Likes
Rachelsdad Absent Member.
Absent Member.

Re: ifolder configuration error - please help

needee;1927556 wrote:

>While your cert surely hasn't expired, perhaps there's an old one cached somewhere
This is a fresh install... so chance of "old one cached somewhere". is very rare/hard.


"Fresh install" as in...fresh iFolder install or fresh eDirectory install?

>or something isn't quite right with your new one.
so how can I check it ? no eDirectory expertise here ;(


Have a look here.

I installed the OS from scratch, installed eDirectory with a new/diff tree and organization name

edif:~ # rcndsd status
Tree Name: PKNDS_TREE
Server Name: .CN=edif.O=pknds.T=PKNDS_TREE.
Binary Version: 20219.15
Root Most Entry Depth: 0
Product Version: eDirectory for Linux v8.8 SP5 [DS]

edif:~ # cat /etc/hosts
127.0.0.1 localhost
192.168.0.254 edif.pknds edif


This all looks fine.

edif:~ # cat /etc/hosts.nds
pknds_tree. 192.168.0.254


Hmmm... I'm not sure, as my eDir 8.7.3.9 install on Linux looks different, and looking at a client's 8.8 SP5 install on 64-bit OES2 only includes the IP (no hostname). Still, I doubt this is the issue.

edif:~ # certmgr -ssl ldaps://edif.pknds:636
Mono Certificate Manager - version 1.2.6.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2007 Novell. BSD licensed.


Self-signed X.509 Certificate v3
Issued from: OU=Organizational CA, O=PKNDS_TREE
Issued to: OU=Organizational CA, O=PKNDS_TREE
Valid from: 02/01/2010 23:13:30
Valid until: 02/01/2020 23:13:30
Import this certificate into the Trust store ?y


This, too, should be fine.

X.509 Certificate v3
Issued from: OU=Organizational CA, O=PKNDS_TREE
Issued to: O=PKNDS_TREE, CN=edif.pknds
Valid from: 02/03/2010 21:13:32
Valid until: 02/03/2012 21:13:32
*** WARNING: Certificate isn't current ***
Import this certificate into the AddressBook store ?y


I guess this is where we're getting tripped up. There's something about the server cert which isn't quite right.

Try going into iManager and reissuing the server cert. Use the option to repair default certificates under Novell certificate services.


and following is the output of /usr/bin/simias-server-setup


Configuring /var/simias/data/simias/Simias.config...SetupSimias - Done
Configuring /etc/apache2/conf.d/simias.conf...Done
Installing certificate from ldaps://edif.pknds/...
Ldap certificate :

Mono Certificate Manager - version 1.2.6.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2007 Novell. BSD licensed.


Self-signed X.509 Certificate v3
Issued from: OU=Organizational CA, O=PKNDS_TREE
Issued to: OU=Organizational CA, O=PKNDS_TREE
Valid from: 02/01/2010 23:13:30
Valid until: 02/01/2020 23:13:30


----- ACCEPT LDAP CERTIFICATE -----


Accept LDAP Certificate? : Y
Done
Connecting to ldaps://edif.pknds/...Detected errors in the Server Certificate:
-2146762495
Failed



We're surely not going to get very far after this. It looks like something didn't go right with the original generation of the cert. Try the repair and see if that helps.

For me, this is actually easier on NetWare.

Lewis G Rosenthal, CNA, CLP, CLE, CWTS Rosenthal & Rosenthal, LLC www.2rosenthals.com
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ifolder configuration error - please help

> I guess this is where we're getting tripped up. There's something about the server cert
> which isn't quite right.

> Try going into iManager and reissuing the server cert. Use the option to repair default
> certificates under Novell certificate services.

> We're surely not going to get very far after this. It looks like something didn't go right
> with the original generation of the cert. Try the repair and see if that helps.


thanks dear, I appreciate your efforts, issue resolved, by repairing the certificate 😉

>For me, this is actually easier on NetWare
this also very simple on Linux via iManager, simply click on Novell Certificate Server > Repair Default Certificate > select the Server

Do you think its a bug in 8.8SP5 ? or do you there is something wrong with configuration (my mistake) ?

Regards
needee
0 Likes
Rachelsdad Absent Member.
Absent Member.

Re: ifolder configuration error - please help

needee;1927757 wrote:
> I guess this is where we're getting tripped up. There's something about the server cert
> which isn't quite right.

> Try going into iManager and reissuing the server cert. Use the option to repair default
> certificates under Novell certificate services.

> We're surely not going to get very far after this. It looks like something didn't go right
> with the original generation of the cert. Try the repair and see if that helps.


thanks dear, I appreciate your efforts, issue resolved, by repairing the certificate 😉


Excellent! You're welcome, and I'm glad I could help.

>For me, this is actually easier on NetWare
this also very simple on Linux via iManager, simply click on Novell Certificate Server > Repair Default Certificate > select the Server


Indeed, yes. My thought was that on NetWare, we have pkidiag, which checks and corrects many issues right at the server console. On Linux, npki, which does *some* of the same things (or perhaps all of them; I just don't know my way around it very well - yet). Also, I'm more familiar with using ConsoleOne for Certificate Server and not the newer iManager functionality.


Do you think its a bug in 8.8SP5 ? or do you there is something wrong with configuration (my mistake) ?


I'm not aware of any issues with 8.8 SP5. My guess would be that *something* happened during the creation of the original cert, but whether that was truly your fault or just an anomaly, who's to say? Hopefully, you won't see the issue again with any of the certs you might generate.

Cheers.

Lewis G Rosenthal, CNA, CLP, CLE, CWTS Rosenthal & Rosenthal, LLC www.2rosenthals.com
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.