OK, as it happens, SSL certificates expire and you only discover them after a reboot! (I wish there was an easier way to keep up on this, but alas I have to re-learn certificate management every time it happens!)

(In all examples below, I've masked out the IP address of my server with xx.xx.xx.x and the hostname, where it appears, with myserverFQDN)

We have a Netware SBS 6.5 / SP 5 server, eDirectory 8.7.3.7, with GroupWise 7. After this week's reboot, I lost the following services:

iManager
Secure access to Remote Manager (although I can get there via port 81 without security: http://xxx.xx.xx.xx:81/)
GroupWise (Instant) Messenger
GroupWise WebAccess
Apache
And access to various GroupWise web-based monitors (Post office on port 7181, GWIA on port 9850, MTA on port 7180), etc.

On the console, is this telling error:

--------

HTTPSTK: Error 10022 enabling SSL services - SSL Disabled.
HTTPSTK: ListeningThread() on xxx.xx.xx.x:8009 Exiting after Error
--------

and this:

--------

LDAP connectivity not found on ldap://localhost:636
Please load NLDAP and then manually execute command: sys:/tomcat/4/bin/startup


If your server host certificates have change recently, executing
sys:/system/tckeygen.ncf may be needed to restore secure LDAP
connectivity

LDAP connectivity not found on ldap://localhost:636
Please load NLDAP and then manually execute command: sys:/tomcat/4/bin/startup
-config sys:/adminsrv/conf/admin_tomcat.xml

If your server host certificates have change recently, executing
sys:/system/tckeygen.ncf may be needed to restore secure LDAP
connectivity

--------

Apache is not/can not run (TCPCON confirms silence on ports 80,
389, 524, 443, 636, 8008, 8009.)


I ran PKIDIAG on the console, with in the "fix" mode, and it reports:

---------------------------------------------------------------------------
PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Sun Apr 13 17:43:02 2008
User logged-in as: admin.oah.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'THOMAS'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'THOMAS.oah' points to SAS Service object 'SAS Service - THOMAS.oah'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - THOMAS.oah' is backlinked to server 'THOMAS.oah'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THOMAS.oah'.
--->KMO IP AG xxx\.xx\.x\.xx - THOMAS.oah is linked.
--->KMO SSL CertificateIP - THOMAS.oah is linked.
--->KMO DNS AG [myserverFQDN] - THOMAS.oah is linked.
--->KMO SSL CertificateDNS - THOMAS.oah is linked.
--->KMO messenger - THOMAS.oah is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'messenger - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateDNS - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'DNS AG [myserverFQDN] - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'IP AG 156\.56\.25\.3 - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.
Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THOMAS.oah'.
KMO 'IP AG xxx\.xx\.xx\.xx - THOMAS.oah' is linked.
KMO 'SSL CertificateIP - THOMAS.oah' is linked.
KMO 'DNS AG thomas\.oah\.org - THOMAS.oah' is linked.
KMO 'SSL CertificateDNS - THOMAS.oah' is linked.
KMO 'messenger - THOMAS.oah' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xx.xx.xx
PROBLEM: The KMO SSL CertificateIP has expired.
--> The KMO SSL CertificateIP's IP Address is: xxx.xx.xx.xx.O=.TULIP.
----> The IP addresses match.
Step 6 failed 35323.

Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 1
Problems fixed: 0
Un-fixable problems found: 0


-------------------------------------------------------

I've run this, rebooted, run it again, rebooted. (At first I had LDAP issues, above, and I did run sys:/system/tckeygen.ncf as recommended above, and NLDAP is now running. (I don't get that error anymore.) I've rebooted since this.

I began reading the docs to troubleshoot SSL certs (namely 10094253: Troubleshooting steps for SSL Certificates, Organizational CA, and Certificate Server.), and it turns out the ConsoleOne I've been using day-in/day-out to manage Groupwise, doesn't have the correct snapin to properly create new NDSPI:Key Material objects.

I get the error: "There is no snapin to create this type of object. If you proceed and use the generic object creator,the resuting object may not be usable. Continue? " (I said NO)

Great. pkidiag can't fix this; iManager won't run, and ConsoleOne has no ability to deal with this. (Wow, I wish there was an easier way to more proactively manage certs so they don't bring half your server down.) I would delete the "SSL CertificateIP - THOMAS" that I see at the top of my .ou, but without a reliable way to rebuild/recreate it, I'm a bit gun shy.

Let's remember, too: Prior to our normal Sunday morning weekly reboot, NOTHING has changed on this server. Last week, all was working wonderfully.

I would of course appreciate any ideas! Many thanks... --michael

--
michael regoli
indiana university bloomington