I am moving my website over to a different server: NW6.5SP7 running Apache2.0.59. The other server died. I have remade a certificate authority, ran pkidiag with no errors and ran tckeygen.ncf without errors. I verified the certificates created and they came back valid. In the httpd.conf file, if I remark the statement: #SecureListen 10.185.89.254:443 "SSL CertificateDNS" then apache2 loads. Otherwise, I get an error and it fails to load: [Tue Sep 07 16:48:06 2010] [crit] (10043)Unknown error: make_secure_socket: failed to get a socket for address 10.185.89.254 port 443 Configuration Failed If I remark the statement, then I can run admsrvup and it will start and say it is listening on port 443, but if I try to access it in a web browser, I get Secure Connection Failed An error occurred during a connection to 10.185.89.254. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) * The page you are trying to view can not be shown because the authenticity of the received data could not be verified. * Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. I have been reading various articles, etc. but I haven't found a fix. My website will show up, but I can't change any configurations or what home page shows, etc. which I do by accessing the admin server. Thanks for any help. -- Coziroyc ------------------------------------------------------------------------
![]() |
0 |
![]() |
Some things here: 1. In what httpd.conf did you rem out? In \\server\sys\apache2\conf. If so, that only applies to the main webserver and not the admin instance. Let's leave out your admin server for a second and try to get the main apache instance started. Try renaming "SSL CertificateDNS" and "SSL CertificateIP", then rerun PKIDIAG to recreate them. Does Apache2 load then? - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
I did it in the folder you mentioned: \\server\sys\apache2\conf. I deleted the Certificates mentioned and then ran PKIDIAG and it recreated them with no errors, just before I startted this post. I have two servers, each had these two certificates created for it. Do I need to change the name in the Conf file so that it matches exactly. I am not at the server right now, but in console 1 I believe the certificate is called "SSL CertificateDNS -JHS_Web"for the server that I am working on. I can't say I fully understand all the security stuff, so forgive me for my ignorance. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > Do I need > to change the name in the Conf file so that it matches exactly. I am not > at the server right now, but in console 1 I believe the certificate is > called "SSL CertificateDNS -JHS_Web"for the server that I am working on. > I can't say I fully understand all the security stuff, so forgive me > for my ignorance. No. The line should read SecureListen x.x.x.x:443 "SSL CertificateDNS" And the certificate used then will be the one that is called "SSL CertificateDNS -JHS_Web" in ConsoleOne if this server is named "JHS_Web" - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
>No. The line should read >SecureListen x.x.x.x:443 "SSL CertificateDNS" That is what my line looks like. I thought I would also mention that I am running Netstorage and it lets me log in (or any user) and see files, but I can not actually open them or upload new files. I can just file scan the files that are there. I am concerned if the problem is related to LDAP or some other feature. Is there anything else I need to verify that it is working? -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > I thought I would also mention that I am running Netstorage and it lets > me log in (or any user) and see files, but I can not actually open them > or upload new files. I can just file scan the files that are there. > That could be totally unrelated, possibly fixed by installing SP8, but we need to fix that SSL issue first. You mention a server that died. It did not happen to be the Certificate Authority? - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
Yes, I deleted and recreated the certificate authority along with the w0 object and kap container. I am pretty sure I did more than I should, but I got rid of errors when running tckeygen.ncf, pkidiag, and sdidiag eventually. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > I am pretty sure I did more than I should, but > I got rid of errors when running tckeygen.ncf, pkidiag, and sdidiag > eventually. > OK. So it is sorted now? - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
>So it is sorted now? I don't know what you mean. I still can't get my admin server to listen to port 443. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > I don't know what you mean. I still can't get my admin server to listen > to port 443. > OK. But does Apache proper, ie not the admin instance listen on 443 now? - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
If I add the line: Listen 10.185.89.254:443 then Apache proper will listen on 443. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > If I add the line: Listen 10.185.89.254:443 > then Apache proper will listen on 443. > OK. So then your cert is OK. Let's look at the admin server then. Sys:adminservv/conf/adminserv.conf has a similar line: SecureListen x.x.x.x:2200 "SSL CertificateDNS" Note that the port is different. Does it have the same certificate as you have for apache proper? What happens when you try loading it? (admsrvup.ncf) - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
Here is my current listen statements: In apache2\conf\httpd.conf Listen 10.185.89.254:80 #Listen 10.185.89.254:2200 #Listen 10.185.89.254:443 #SecureListen 10.185.89.254:443 "SSL CertificateDNS" In adminsrv\conf\adminserv.conf Listen 10.185.89.254:443 #SecureListen 10.185.89.254:2200 "SSL CertificateIP" #SecureListen 10.185.89.254:2200 "SSL CertificateDNS" #Listen 10.185.89.252:2200 I can get the admin server to listen in this configuration. I was unable to in every other combination of remarking the other listen statements listed. The securelisten in the admin server originally was the 2nd statement, so I added the third statement to see if it worked, but it didn't. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > I can get the admin server to listen in this configuration. > So you can get it to listen on 443, but not port 2200. That tells us that something else is listening on port 2200. Look in tcpcon - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
I'm new to tcpcon but I think I figured out how to check ports. I didn't see 2200 listed, but there were places where instead of a port #, it gave a protocol name such as ncp, ldap, ldaps, ftp, http, https, etc. Is there a protocol name that would be associated with port 2200? Also, is port 2200 essential or can I work around it another way? -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > I'm new to tcpcon but I think I figured out how to check ports. I didn't > see 2200 listed, but there were places where instead of a port #, it > gave a protocol name such as ncp, ldap, ldaps, ftp, http, https, etc. Is > there a protocol name that would be associated with port 2200? Also, is > port 2200 essential or can I work around it another way? > Hit TAB to change the display and no, AFAIK you could have it on any port. - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
Anders, Anders Gustafsson wrote: > > Coziroyc, > > I can get the admin server to listen in this configuration. > > > So you can get it to listen on 443, but not port 2200. That tells us > that something else is listening on port 2200. Look in tcpcon No, it tells us that most likely his certs are still broken, because he didn't use SECURELISTEN for port 443, but a reular LISTEN statement. Just specifying 443 doesn't in any way mean it's doing SSL. On top, the whole port config is completely messed up. The Admin instance is *NOT* supposed to listen on 443 at all, that's reserved for Apache proper. The Admin Instance listens via SSL on 2200 and cleartext on 2211. So the only correct statements in adminserv.conf is: Listen 10.185.89.254:2211 SecureListen 10.185.89.254:2200 "SSL CertificateIP" With no other Listen or SecureListen active. On top, it would be helpful and had cleared this up long ago, when we'd get answers to the questions what exactly happens when he attempts to load it. Last but not least, Apache even writes pretty helpful error logs...;) CU, -- Massimo Rosen Novell Product Support Forum Sysop No emails please! http://www.cfc-it.de
![]() |
0 |
![]() |
Anything higher than port 1024 are not defined and can be used by anything, thus no name is associated - unless you define it yourself, in the protocols file. -- Peter eDirectory Rules! http://www.DreamLAN.com
![]() |
0 |
![]() |
Massimo Rosen, > No, it tells us that most likely his certs are still broken, because he > didn't use SECURELISTEN for port 443, but a reular LISTEN statement. > Just specifying 443 doesn't in any way mean it's doing SSL > Arrggh.. I Missed that, but his certificates should be OK as Apache proper is able to load and listen on 443... No, Dang.. If I look back at the message, he did specify just "listen" there as well. Not good. So, let's start all over again. Poster says he has run PKIDIAG to recreate the certificates. Possibly the CA was gone, because a server died. So I ask the OP: 1. Is there a certificate server in the tree? Look In C1, under the Security container, there should be a CA object (NDSPKI:Certificate authority). What does it have for "Host Server"? Does that server exist? 2. You say you recreated the CA. Did you run PKIDIAG after that? 3. Add a secureListen directive to Apache proper. Does it load, if not, what exact error do you see? Make sure nothing else is listening on that address and 443. - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
Peter, Peter Kuo wrote: > the protocols file. Make that sys:\etc\services. ;) CU, -- Massimo Rosen Novell Product Support Forum Sysop No emails please! http://www.cfc-it.de
![]() |
0 |
![]() |
I ran pkidiag diagnostic mode again, it said no errors. I ran it in fix mode after recreating the certificate authority until I received no errors. The CA object lists the correct server as the host server. It is the same server as this web server. If I try to load Apache2 with the secure listen statement it fails to listen. The error log says [Fri Sep 17 09:28:47 2010] [crit] (10043)Unknown error: make_secure_socket: failed to get a socket for address 10.185.89.254 port 443 Configuration Failed -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > make_secure_socket: failed to get a socket for address 10.185.89.254 > port 443 > Configuration Failed > Try: http://groups.google.com/group/novell.support.netware.webserver/browse_thread/thread/6a6b0fa9d7a04e08/bcce624f9efd025e?lnk=st&q=%5Bcrit%5D+(10043)Unknown+error%3A+make_secure_socket+nile.nlm#bcce624f9efd025e - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
Nile.nlm is not listed in sys:\system. I found it in a backup folder that was created when I installed sp7. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > Nile.nlm is not listed in sys:\system. I found it in a backup folder > that was created when I installed sp7. > Strange, it sholuld be there and loaded. Does it work if you load it? - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
I found it on this server here: NW65SP7\STARTUP\nile.nlm. Do you want me to delete it out of this folder? Nile says it loads when I type Nile.nlm at the server console. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
I edited autoexec.ncf to include the path to nile.nlm; sys:\nw65sp7\startup\nile.nlm along with load httpstk.nlm /ssl /keyfile:"SSl CertificateIP" and I now can get apache2 and admsrvup to load with the securelisten statements. I can go to https://my website now, although I didn't get a login yet, but I think I am closer. I am guessing since my nile.nlm was in a different location, it never loaded properly. I do not know why it is located where it is, but I think I am finally making progress. I also used this cool solution: 'Cool Solutions: Troubleshooting Certificate Server Problems' (http://www.novell.com/coolsolutions/tip/5910.html) Thanks for all the help. Hopefully, I can get to where it produces a login when I go to the https site. That still doesn't happen, but I will report back with any other info in case it helps someone else. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > Thanks for all the help. Hopefully, I can get to where it produces a > login when I go to the https site. That still doesn't happen, but I will > report back with any other info in case it helps someone else. > Please do. That Nile-problem is extremely rare. I have only seen it a handful times. - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
I tried to change load httpstk.nlm /ssl /keyfile:"SSl CertificateIP" to load httpstk.nlm in autoexec.ncf and I was not able to upload files through Netstorage after restarting the server. I put it back with the extra switches and everything works again after server restart. Don't know what this means, but thought it might be useful to someone. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > I tried to change load httpstk.nlm /ssl /keyfile:"SSl CertificateIP" to > load httpstk.nlm in autoexec.ncf and I was not able to upload files > through Netstorage after restarting the server. I put it back with the > extra switches and everything works again after server restart. Don't > know what this means, but thought it might be useful to someone. NetStorage and httpstk are separate entities. Sounds like you have a port conflict between the two. Why would you load httpstk without parameters? - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
I guess I didn't realize before it needed them. The cool solution where I found these parameters was the first time I saw parameters used. I just now searched httpstk.nlm and found other instances stating those parameters, but my other searches didn't say anything about them. I guess, I am a 1/2 time tech with just enough knowledge of Novell to be dangerous. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |
Coziroyc, > I am a 1/2 time tech with just enough knowledge of Novell to be > dangerous. > OK :) So all is working now? - Anders Gustafsson (Sysop) The Aaland Islands (N60 E20) Novell has a new enhancement request system, or what is now known as the requirement portal. If customers would like to give input in the upcoming releases of Novell products then they should go to http://www.novell.com/rms
![]() |
0 |
![]() |
Yes. Everything is fine now. Thanks again for the help. -- Coziroyc ------------------------------------------------------------------------ Coziroyc's Profile: http://forums.novell.com/member.php?userid=30585 View this thread: http://forums.novell.com/showthread.php?t=420318
![]() |
0 |
![]() |