SSL CertificateIP missing 1

[Ronstid]

I have 1 tree, in which there are 2 Novell 6 servers. Each server used to have SSL CertificateIP in Console1. I don't know a lot about certificate server, but I do know I haven't been able to use Remote Manager since the one for the read/write replica server disappeared. I tried restoring this from backup, but to no avail. I also tried reinstalling, but get the error:

"There was an error trying to create the Server Certificate. You need to delete the server certificate, if it exists, and start the creation process again. The error code is -603."

Should I try reinstalling from the NetWare 6 CD through NWConfig? If so, where on the CD is Certificate Server located? Any help would be appreciated. Thanks.

 

[cabracy]

A 603 could indicate that the schema is hosed.

Try a dsrepair, advanced options, repair local database, repair operational schema. You may need to do this to both servers.

Then try deleting the new certificate and re-create it.

Chris.

 

[Ronstid]

What does this procedure actually do? Am I taking a chance that neither server will have SSL CertificateIP? Should this be done on the server during peak hours? Thanks.

 

[Ronstid]

I ran the dsrepair, advanced options, repair local database, repair operational schema as suggested. However, when I try to create the Server Certificate I get the following message:

"There is not a snap-in to create this type of object. If you proceed and use the generic object creator, the resulting object may not be usable."

Where might I find these snap-ins?

 

[gconnect]

you may need to download the latest version of NICI from the Novell site

take a deeeep breath, my friend, this is from experience.

i am assuming and hoping that the hosed server does not hold the master copy of the Root partition

if you have the volume data backed up, then do this


from the master server
load dsrepair -a

repair the local database (make sure you have NO errors)

remove the messed up server from the replica ring

repair the local database again

use console one (NWAdmin won't work) and delete the server and all the server-centric objects from the OU that the server was in (Server, the SYS Vol, other Vols, SLP Objects, the server certificate, DNSserverobject DNS_ServerName, DHCP_ServerName etc). DO NOT DELETE THE DHCP Scopes themselves or the NDPS stuff.

Now if you were running DNS and DHCP, use the DNS/DHCP Mgnt Console and remove that server's Authorized Server status from whatever scopes and zones it serviced. Then delete the server object itself. I usually delete their Hostname Records also. If this is in production, appoint another server to host these zones.

now repair the local database of the master server again. MAKE SURE YOU HAVE NO ERRORS. Perform an unattended full repair once you have no errors.

Now reinstall the Netware server as usual and restore the VOlume Data and recreate the DNS and DHCP server objects in the dns/dhcp mgnt console

your DNS/DHCP and NDPS stuff may not work right until time and replicas are in sync. you may get -601 errors when the NDPS Mgr and Broker loads. it may take about 20 minutes after the restore. after that, my friend, go get a beer and breath easy.

-gC-

 

[gconnect]

i hit bricks with this same SSL Certificate crap when i changed the IP address of a Netware 6 server. (a huge undertaking for a seemingly simple task). In my opinion, from where you sit, it is easier just to restore the whole server and it's data then to waste time trying to troubleshoot through it.

once again, if you like...download the latest version of the NICI client from the Novell site. You can create the certificates using Console One once you have NICI installed on a workstation.

hopefully you are using at least NW6sp2, right?

 

[Ronstid]

The problem is not on the server that holds the Master, but on the server with Read/Write replica.

This is the procedure I did today (which I found on Novell's Website):

In the Local database repair, deselect everything but: "Use temporary NDS database during repair"? YES, and "Rebuild operational schema"? YES. See what changes DSRepair is planning on doing to the dib set and select the option to accept the changes or not.

NOTE: To verify that the schema is OK, from the server holding the Master of [Root]:

SET DSTRACE = OFF
SET DSTRACE = +SCHEMA
SET DSTRACE = *SSD
SET DSTRACE = *SSA

Change to the Directory Services screen and verify an ALL PROCESSED = YES. If the response is NO, then address the errors listed.

My schema was okay. All Processed = Yes. DSRepair found 0 errors. From there I was supposed to remove the server certificate, but that step I forgot about. I did more research and decided maybe I could remove the CA and certificates on the master, and recreate it all. I downloaded instructions to do that, but the server will have to be restarted. I thought I would schedule some downtime to do this. Had you tried this step? I believe the original problem came from an accidental deletion of the SSL CertificateIP. It doesn't appear my schema is hosed after all. I value all your opinions of this procedure. Is this something that is worth a shot?

 

[gconnect]

personally i would not delete anything from the master server. the only thing i would do is remove the other one from the replica ring and rebuild it (using the steps i typed above). that would take about 2½ hours to do. if the master server isn't broke, i wouldn't try to fix it.

you should still be able to use remote manager
using:

http://SERVERNAMEorIP:8008/

instead of

https://fs-adcen.porterco.org:8009/

the only difference is you won't be able to use SSL for protecting the data session

 

[gconnect]

also try uninstalling and reinstalling apache, the other web-services, gadgets, and ifolder and see if that reinstalls the ssl certificate (never tried it but worth a shot)

 

[Ronstid]

Thanks gconnect. I will try the latter, and if it doesn't work, then I'll try the 2 1/2 hour suggestion. I appreciate your help. I'll let you all know the outcome.

 

[Provogeek]

!!RONSTID!! DO NOT UNINSTALL ANY WEB SERVICES!!!!!

It will not help, the install of those services have nothing to do with the install and config of the Certificate Server. They need the KMO objects to work, but installing them does not create any of your KMO objects (SSL CertifacteIP/DNS).

There is a tool on Novell's support web site called PKIDIAG.NLM you run this on your server and it will scan you SAS object and link as needed, and it will check the KMO objects and create as needed.

The 603 error code means you just don't have the right snap in. Download ConsoleOne 1.3.5 and then do a search in the Novell Downloadables section in the support site. Search for Snap-ins. You will find a NetWare 6 core snap in, and an eDirectory 8.6 snap-in (along with a few others). Download these and setup ConsoleOne on your local workstation hard drive (runs faster), then install the snap-ins.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Provogeek
CNE Network+ Experience

Certified nut case

 

[Ronstid]

THANKS! I'LL DO THIS INSTEAD. I'VE BEEN REALLY BUSY WITH OTHER THINGS, SO I HAVEN'T HAD MUCH TIME TO WORK WITH IT. IT WILL PROBABLY BE TOMORROW. THANKS AGAIN!

THANKS FOR ALL THE INPUT!

 

[Ronstid]

Thanks to all for the help you have given. I just finished using PKIDIAG.NLM and it worked!

THANK YOU, THANK YOU, THANK YOU!!!!!