Hi all,

When I originally installed ZCM (10.0.3, May 2008), I installed it using our external SSL certificate. Now, I am not sure that that was the best choice. Our server is SLES 10 SP2 and ZCM 10.1.3. After updating our server to 10.1.3 from 10.0.3.2 I can no longer upload images to the server as I get a -601 error...excerpt from our novell-pbserv.log

Tue Jul 7 12:06:20 2009 -- [PCGI] done, PROXY_CMD_GET_IMAGE
Tue Jul 7 12:06:23 2009 -- [PCGII] received PROXY_CMD_GET_IMAGE_INFO
Tue Jul 7 12:06:23 2009 -- [PCGII] Image File: /var/opt/novell/zenworks/content-repo/images/HPsp09v8.zmg
, File Time: 18423915792, File Size: 13790949395
Tue Jul 7 12:06:23 2009 -- [PCGII] done PROXY_CMD_GET_IMAGE_INFO
Tue Jul 7 12:06:24 2009 -- [PCRISD] received PROXY_CMD_REQ_SAFEDATA
Tue Jul 7 12:06:24 2009 -- [ZENIMGWEB-CSCKT] Initializing client socket.
Tue Jul 7 12:06:24 2009 -- [ZENIMGWEB-CSCKT] SSL Initialization error; code : 11. Can't read CA list.
Tue Jul 7 12:06:24 2009 -- [ZIMGWEB-OHC] Failed to create socket
Tue Jul 7 12:06:24 2009 -- [GWC] Error opening the socket : -601
Tue Jul 7 12:06:24 2009 -- [PCRISD] GetWorkstationConfig returned: -601
Tue Jul 7 12:06:24 2009 -- [PCRISD] done PROXY_CMD_REQ_SAFEDATA
Tue Jul 7 12:06:24 2009 -- [SCEM] OOB error message, 1843
Tue Jul 7 12:06:24 2009 -- [LC] close connection, 149.143.208.23
Tue Jul 7 12:06:24 2009 -- [ECC] CS
Tue Jul 7 12:19:49 2009 -- [STATS] Updating Stats
Tue Jul 7 12:19:49 2009 -- [ZENIMGWEB-CSCKT] Initializing client socket.
Tue Jul 7 12:19:49 2009 -- [ZENIMGWEB-CSCKT] SSL Initialization error; code : 11. Can't read CA list.

We can download images just fine if they are first upload to our test server that was installed with the internal ZCM certificate and then transferred over to the live server.

Also after updating to 10.1.3 users cannot login using the ZCM icon (little blue Z). We have login disabled in the registry because it would take a machine more than two minutes to login to the desktop. This I assume is because wildcard cert support was dropped in 10.1.3.

Those two issues not being bad enough, our SSL certficate expires at the end of August 2009. We have a new certificate but how do I install it on the server and the clients without touching each device manually? The new cert is a wildcard cert as well. I can get a single server cert from Digicert for free so the DNS of the cert matches the server DNS. Will I have to get this on the clients or will it just get pushed automatically because the Root CA is not changing?

Will inventory break when the SSL cert expires? Will end users get error messages from the Agent?

Thanks for any hints you can give me!

Brian Payne

bpayne@mvnu.edu