I am moving my website over to a different server: NW6.5SP7 running
Apache2.0.59. The other server died. I have remade a certificate
authority, ran pkidiag with no errors and ran tckeygen.ncf without
errors. I verified the certificates created and they came back valid. In
the httpd.conf file, if I remark the statement: #SecureListen
10.185.89.254:443 "SSL CertificateDNS" then apache2 loads. Otherwise, I
get an error and it fails to load:
[Tue Sep 07 16:48:06 2010] [crit] (10043)Unknown error:
make_secure_socket: failed to get a socket for address 10.185.89.254
port 443
Configuration Failed

If I remark the statement, then I can run admsrvup and it will start
and say it is listening on port 443, but if I try to access it in a web
browser, I get
Secure Connection Failed
An error occurred during a connection to 10.185.89.254.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
*   The page you are trying to view can not be shown because the
authenticity of the received data could not be verified.
*   Please contact the web site owners to inform them of this
problem. Alternatively, use the command found in the help menu to report
this broken site.
I have been reading various articles, etc. but I haven't found a fix.
My website will show up, but I can't change any configurations or what
home page shows, etc. which I do by accessing the admin server.
Thanks for any help.


-- 
Coziroyc
------------------------------------------------------------------------

Some things here:

1. In what httpd.conf did you rem out? In \\server\sys\apache2\conf. If 
so, that only applies to the main webserver and not the admin instance.

Let's leave out your admin server for a second and try to get the main 
apache instance started. Try renaming "SSL CertificateDNS" and "SSL 
CertificateIP", then rerun PKIDIAG to recreate them.

Does Apache2 load then?

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

I did it in the folder you mentioned: \\server\sys\apache2\conf. 

I deleted the Certificates mentioned and then ran PKIDIAG and it
recreated them with no errors, just before I startted this post. I have
two servers, each had these two certificates created for it. Do I need
to change the name in the Conf file so that it matches exactly. I am not
at the server right now, but in console 1 I believe the certificate is
called "SSL CertificateDNS -JHS_Web"for the server that I am working on.
I can't say I fully understand all the security stuff, so  forgive me
for my ignorance.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> Do I need
> to change the name in the Conf file so that it matches exactly. I am not
> at the server right now, but in console 1 I believe the certificate is
> called "SSL CertificateDNS -JHS_Web"for the server that I am working on.
> I can't say I fully understand all the security stuff, so  forgive me
> for my ignorance.

No. The line should read 
SecureListen x.x.x.x:443 "SSL CertificateDNS"

And the certificate used then will be the one that is called "SSL 
CertificateDNS -JHS_Web" in ConsoleOne if this server is named "JHS_Web"

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

>No. The line should read
>SecureListen x.x.x.x:443 "SSL CertificateDNS"
That is what my line looks like. 

I thought I would also mention that I am running Netstorage and it lets
me log in (or any user) and see files, but I can not actually open them
or upload new files. I can just file scan the files that are there.

I am concerned if the problem is related to LDAP or some other feature.
Is there anything else I need to verify that it is working?


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> I thought I would also mention that I am running Netstorage and it lets
> me log in (or any user) and see files, but I can not actually open them
> or upload new files. I can just file scan the files that are there.
>
That could be totally unrelated, possibly fixed by installing SP8, but we 
need to fix that SSL issue first. You mention a server that died. It did 
not happen to be the Certificate Authority?



- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

Yes, I deleted and recreated the certificate authority along with the w0
object and kap container. I am pretty sure I did more than I should, but
I got rid of errors when running tckeygen.ncf, pkidiag, and sdidiag
eventually.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> I am pretty sure I did more than I should, but
> I got rid of errors when running tckeygen.ncf, pkidiag, and sdidiag
> eventually.
>
OK. So it is sorted now?

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

>So it is sorted now?

I don't know what you mean. I still can't get my admin server to listen
to port 443.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> I don't know what you mean. I still can't get my admin server to listen
> to port 443.
>
OK. But does Apache proper, ie not the admin instance listen on 443 now?

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

If I add the line:   Listen 10.185.89.254:443
then Apache proper will listen on 443.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> If I add the line:   Listen 10.185.89.254:443
> then Apache proper will listen on 443.
>
OK. So then your cert is OK. Let's look at the admin server then.

Sys:adminservv/conf/adminserv.conf has a similar line:
SecureListen x.x.x.x:2200 "SSL CertificateDNS"

Note that the port is different. Does it have the same certificate as 
you have for apache proper? What happens when you try loading it? 
(admsrvup.ncf)

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

Here is my current listen statements:
In apache2\conf\httpd.conf

Listen 10.185.89.254:80
#Listen 10.185.89.254:2200       
#Listen 10.185.89.254:443
#SecureListen 10.185.89.254:443 "SSL CertificateDNS"

In adminsrv\conf\adminserv.conf

Listen 10.185.89.254:443
#SecureListen 10.185.89.254:2200 "SSL CertificateIP"
#SecureListen 10.185.89.254:2200 "SSL CertificateDNS"
#Listen 10.185.89.252:2200

I can get the admin server to listen in this configuration. I was
unable to in every other combination of remarking the other listen
statements listed. The securelisten in the admin server originally was
the 2nd statement, so I added the third statement to see if it worked,
but it didn't.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> I can get the admin server to listen in this configuration.
>
So you can get it to listen on 443, but not port 2200. That tells us 
that something else is listening on port 2200. Look in tcpcon

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

I'm new to tcpcon but I think I figured out how to check ports. I didn't
see 2200 listed, but there were places where instead of a port #, it
gave a protocol name such as ncp, ldap, ldaps, ftp, http, https, etc. Is
there a protocol name that would be associated with port 2200? Also, is
port 2200 essential or can I work around it another way?


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> I'm new to tcpcon but I think I figured out how to check ports. I didn't
> see 2200 listed, but there were places where instead of a port #, it
> gave a protocol name such as ncp, ldap, ldaps, ftp, http, https, etc. Is
> there a protocol name that would be associated with port 2200? Also, is
> port 2200 essential or can I work around it another way?
>
Hit TAB to change the display and no, AFAIK you could have it on any port.

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

Anders,

Anders Gustafsson wrote:
> 
> Coziroyc,
> > I can get the admin server to listen in this configuration.
> >
> So you can get it to listen on 443, but not port 2200. That tells us
> that something else is listening on port 2200. Look in tcpcon

No, it tells us that most likely his certs are still broken, because he
didn't use SECURELISTEN for port 443, but a reular LISTEN statement.
Just specifying 443 doesn't in any way mean it's doing SSL.

On top, the whole port config is completely messed up. The Admin
instance is *NOT* supposed to listen on 443 at all, that's reserved for
Apache proper. The Admin Instance listens via SSL on 2200 and cleartext
on 2211. So the only correct statements in adminserv.conf is:

Listen 10.185.89.254:2211
SecureListen 10.185.89.254:2200 "SSL CertificateIP"

With no other Listen or SecureListen active.

On top, it would be helpful and had cleared this up long ago, when we'd
get answers to the questions what exactly happens when he attempts to
load it. Last but not least, Apache even writes pretty helpful error
logs...;)

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

Anything higher than port 1024 are not defined and can be used by 
anything, thus no name is associated - unless you define it yourself, in 
the protocols file.


-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com

Massimo Rosen,
> No, it tells us that most likely his certs are still broken, because he
> didn't use SECURELISTEN for port 443, but a reular LISTEN statement.
> Just specifying 443 doesn't in any way mean it's doing SSL
>
Arrggh.. I Missed that, but his certificates should be OK as Apache 
proper is able to load and listen on 443... No, Dang.. If I look back at 
the message, he did specify just "listen" there as well. Not good.

So, let's start all over again. Poster says he has run PKIDIAG to 
recreate the certificates. Possibly the CA was gone, because a server 
died. So I ask the OP:

1. Is there a certificate server in the tree? Look In C1, under the 
Security container, there should be a CA object (NDSPKI:Certificate 
authority). What does it have for "Host Server"? Does that server exist?

2. You say you recreated the CA. Did you run PKIDIAG after that?

3. Add a secureListen directive to Apache proper. Does it load, if not, 
what exact error do you see? Make sure nothing else is listening on that 
address and 443.

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

Peter,

Peter Kuo wrote:

> the protocols file.

Make that sys:\etc\services. ;)

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

I ran pkidiag diagnostic mode again, it said no errors. I ran it in fix
mode after recreating the certificate authority until I received no
errors. The CA object lists the correct server as the host server. It is
the same server as this web server. If I try to load Apache2 with the
secure listen statement it fails to listen. The error log says

[Fri Sep 17 09:28:47 2010] [crit] (10043)Unknown error:
make_secure_socket: failed to get a socket for address 10.185.89.254
port 443
Configuration Failed


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> make_secure_socket: failed to get a socket for address 10.185.89.254
> port 443
> Configuration Failed
>
Try:
http://groups.google.com/group/novell.support.netware.webserver/browse_thread/thread/6a6b0fa9d7a04e08/bcce624f9efd025e?lnk=st&q=%5Bcrit%5D+(10043)Unknown+error%3A+make_secure_socket+nile.nlm#bcce624f9efd025e

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

Nile.nlm is not listed in sys:\system. I found it in a backup folder
that was created when I installed sp7.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> Nile.nlm is not listed in sys:\system. I found it in a backup folder
> that was created when I installed sp7.
>
Strange, it sholuld be there and loaded. Does it work if you load it?

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

I found it on this server here: NW65SP7\STARTUP\nile.nlm. Do you want me
to delete it out of this folder? Nile says it loads when I type Nile.nlm
at the server console.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

I edited autoexec.ncf to include the path to nile.nlm;
sys:\nw65sp7\startup\nile.nlm along with load httpstk.nlm /ssl
/keyfile:"SSl CertificateIP" and I now can get apache2 and admsrvup to
load with the securelisten statements. I can go to https://my website
now, although I didn't get a login yet, but I think I am closer. I am
guessing since my nile.nlm was in a different location, it never loaded
properly. I do not know why it is located where it is, but I think I am
finally making progress.

I also used this cool solution: 'Cool Solutions: Troubleshooting
Certificate Server Problems'
(http://www.novell.com/coolsolutions/tip/5910.html)

Thanks for all the help. Hopefully, I can get to where it produces a
login when I go to the https site. That still doesn't happen, but I will
report back with any other info in case it helps someone else.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> Thanks for all the help. Hopefully, I can get to where it produces a
> login when I go to the https site. That still doesn't happen, but I will
> report back with any other info in case it helps someone else.
>
Please do. That Nile-problem is extremely rare. I have only seen it a 
handful times.

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

I tried to change load httpstk.nlm /ssl /keyfile:"SSl CertificateIP" to
load httpstk.nlm in autoexec.ncf and I was not able to upload files
through Netstorage after restarting the server. I put it back with the
extra switches and everything works again after server restart. Don't
know what this means, but thought it might be useful to someone.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> I tried to change load httpstk.nlm /ssl /keyfile:"SSl CertificateIP" to
> load httpstk.nlm in autoexec.ncf and I was not able to upload files
> through Netstorage after restarting the server. I put it back with the
> extra switches and everything works again after server restart. Don't
> know what this means, but thought it might be useful to someone.

NetStorage and httpstk are separate entities. Sounds like you have a port 
conflict between the two. Why would you load httpstk without parameters?

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

I guess I didn't realize before it needed them. The cool solution where
I found these parameters was the first time I saw parameters used. I
just now searched httpstk.nlm and found other instances stating those
parameters, but my other searches didn't say anything about them. I
guess, I am a 1/2 time tech with just enough knowledge of Novell to be
dangerous.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318

Coziroyc,
> I am a 1/2 time tech with just enough knowledge of Novell to be
> dangerous.
>
OK :) So all is working now?

- Anders Gustafsson  (Sysop)
  The Aaland Islands (N60 E20)


Novell has a new enhancement request system, 
or what is now known as the requirement portal.
If customers would like to give input in the upcoming 
releases of Novell products then they should go to
http://www.novell.com/rms

Yes. Everything is fine now. Thanks again for the help.


-- 
Coziroyc
------------------------------------------------------------------------
Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585
View this thread: http://forums.novell.com/showthread.php?t=420318