bkelsen Absent Member.
Absent Member.
1744 views

Repair Default Certificates fails - nothing happens


really simple - discovered that the SSL certificates of the OES2 Linux
server were invalid/expired.
The action in iManager fails, and ndscheck reveals this in the log
file:

Configuring HTTP service... Done
Configuring LDAP service... Failed to configure LDAP service: No access
err=-672
An error has occured while configuring the Novell eDirectory Server.
Please look /var/opt/novell/eDirectory/log/ndsd.log file for more
information.

The instance at /etc/opt/novell/eDirectory/conf/nds.conf is upgraded
successfully.

ERROR: ndsconfig return value = 9.
harald:/etc/sysconfig/novell/ldap_servers # less
/var/opt/novell/eDirectory//log/ndscheck.log
.CN=valdemar.OU=SERVICE.O=CFH.T... UP YES 0 m:0 s
ON
+---------------------------------+-------+----------+--------------+---------------+

ERROR -672: Failed to get server background process intervals.
Checking replication delta on the partition...
Maximum replica ring delta "0:2:43 (hh:mm:ss)"
Perishable delta on this server: "0:2:43 (hh:mm:ss)"
Skulk Interval: 0 (mm)

WARNING: Data in the replica ring of the partition ".T=CFHTREE." are
not synchronized for a period greater than the skulk interval 0 min

So ndsrepair -U and -R and -E on both servers alle succesfull, but
doesnt solve the problem.

Manual delete of the 2 SSL certificates from iManager also not
posssible - so whats next ?

The failing server is Master an CA, so one option is to move the Master
and CA roles to the other server, remove the replica completely and put
it back on again.

To sum things up:
1. we know we have 2 invalid SLL certs
2. normal methods of recreating these fails (imanager Repair Default
Cert or ndsconfig upgrade)

Would moving the master role be a risk ?

Any other easy-fix ?


--
bkelsen
------------------------------------------------------------------------
bkelsen's Profile: http://forums.novell.com/member.php?userid=9416
View this thread: http://forums.novell.com/showthread.php?t=448048

Labels (1)
0 Likes
7 Replies
bkelsen Absent Member.
Absent Member.

Re: Repair Default Certificates fails - nothing happens


Looking at the content of the SAS Service Object, it is empty - where it
should reference the "SSL Certificate DNS -<server>"


--
bkelsen
------------------------------------------------------------------------
bkelsen's Profile: http://forums.novell.com/member.php?userid=9416
View this thread: http://forums.novell.com/showthread.php?t=448048

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Repair Default Certificates fails - nothing happens

Outside of the errors / problems you're facing, what is the health of your tree? Is time synchronized (ndsrepair -T)? Is replication clean (ndsrepair -E)?

If these things are clean, then check the CA in your tree to see if perhaps it is expired.
0 Likes
bkelsen Absent Member.
Absent Member.

Re: Repair Default Certificates fails - nothing happens


ndsrepair -T and ndsrepair -E are clean and the CA tree security object
reports the certs are valid.

Have also done a reboot - and no change in behavior - when manipulating
iPrint objecst i get:
java.net.SocketException: Connection reset
IPP Error: 0x1007


--
bkelsen
------------------------------------------------------------------------
bkelsen's Profile: http://forums.novell.com/member.php?userid=9416
View this thread: http://forums.novell.com/showthread.php?t=448048

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Repair Default Certificates fails - nothing happens

What happens when you attempt to manually create a certificate? iManager should give you an error if there's a problem, or if there's no problem, the certificate will get created.
0 Likes
bkelsen Absent Member.
Absent Member.

Re: Repair Default Certificates fails - nothing happens


OK - The Certificate issue is now solved - it appears there were 2 admin
accounts in the tree, one with rights in one part of the tree and
another with righst in another part of the tree. So using the correct
admin account, of course, the repair, delete and all other actions went
just fine.

HOWEVER - the original issue "java.net.SocketException: Unexpected end
of file from server
IPP Error: 0x1007" when manipulating iPrint objects, and that hadn't
gone away...
Seems restarting the Tomcat service gives a small window where the
error goes away, and then reappears until we restart tomcat again - all
along apache is recording segmentation faults 😞


--
bkelsen
------------------------------------------------------------------------
bkelsen's Profile: http://forums.novell.com/member.php?userid=9416
View this thread: http://forums.novell.com/showthread.php?t=448048

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Repair Default Certificates fails - nothing happens

Good to know. That definitely explains the access error.

I don't work on with iPrint, so I have no experience to share in that area.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Repair Default Certificates fails - nothing happens


bkelsen;2153126 Wrote:
> OK - The Certificate issue is now solved - it appears there were 2 admin
> accounts in the tree, one with rights in one part of the tree and
> another with righst in another part of the tree. So using the correct
> admin account, of course, the repair, delete and all other actions went
> just fine.
>
> HOWEVER - the original issue "java.net.SocketException: Unexpected end
> of file from server
> IPP Error: 0x1007" when manipulating iPrint objects, and that hadn't
> gone away...
> Seems restarting the Tomcat service gives a small window where the
> error goes away, and then reappears until we restart tomcat again - all
> along apache is recording segmentation faults 😞



These two might help point in the right direction for the iPrint
issue:


'Error: Create Print Manager Failure or unable to manage iPrint using
iManager'
(http://www.novell.com/support/viewContent.do?externalId=7003554&sliceId=1)

'Managing iPrint through iManager does not work on an OES2 SP1 Server
(migrated from NetWare)'
(http://www.novell.com/support/viewContent.do?externalId=7002848&sliceId=1)



-Willem


--
Novell Knowledge Partner (voluntary sysop)

It ain't anything like Harry Potter.. but you gotta love the magic IT
can bring to this world
------------------------------------------------------------------------
magic31's Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=448048

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.