03-06-2013 01:17 AM - edited 07-03-2021 11:40 PM
Hello All
I unsuccessfully tried to install a company signed certificate to Prime Infrastructure 1.3. I do not get an error message when installing it, but even after a server restart it does not get used for the web access. The server is still using it's own self-signed one.
I also tried to import our company root cert, but it's also not listed up after a successfull (read, no error message) import.
Here what I did to install the signed cert:
cpi1/admin# ncs key importsignedcert cpi1.domain.com_neu.b64 repo defaultRepo
INFO: no staging url defined, using local space. rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing signed certificate for key
cpi1/admin#
You have asked Firefox to connect
securely to cpi1.hsr.ch, but we can't confirm that your connection is secure.
After that I reloaded the server, but nothing has changed.
Any ideas on how to troubleshoot this?
The certificate is now actually so much broken that I can't anymore access the server in Chrome, IE10 or Firefox. They state "You have asked Firefox to connect securely to cpi1.domain.com, but we can't confirm that your connection is secure." and none of them are allowing me access to the webinterface.
03-06-2013 01:23 AM
Just found this which I'm gonna try now: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud15404
03-06-2013 03:24 AM
It sadly didn't work. I try now to install a self signed again, as I can't access the server besides ssh
03-06-2013 04:04 AM
The new installation of a self signed worked, I can now again access the webinterface.
I tried now to find more information about why the import is not working and actually found something.
While being logged in as root I checked the file /opt/CSCOlumos/logs/keyadmin-0-0.log and found this error which appears while trying to import a signed ca cert. My gut tells me it's iptables once again at fault (like with the not working TFTP).
03/06/13 11:07:54.807 INFO [admin] [main] truststore used is /opt/CSCOlumos/conf/truststore
03/06/13 11:07:54.858 INFO [system] [main] Setting management interface address to x.x.x.x
03/06/13 11:07:54.858 INFO [system] [main] Setting peer server interface address to x.x.x.x
03/06/13 11:07:54.859 INFO [system] [main] Setting client interface address to x.x.x.x
03/06/13 11:07:54.859 INFO [system] [main] Setting local host name to cpi1
03/06/13 11:08:03.062 ERROR [system] [main] THROW
java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connec
tion
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:419)
at oracle.jdbc.driver.PhysicalConnection.
at oracle.jdbc.driver.T4CConnection.
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at com.cisco.server.persistence.util.OracleSchemaUtil.openConnection(OracleSchemaUtil.
java:277)
at com.cisco.server.persistence.util.OracleSchemaUtil.dbServerUp(OracleSchemaUtil.java
:836)
at com.cisco.packaging.DBAdmin.dbServerUp(DBAdmin.java:1507)
at com.cisco.packaging.WCSAdmin.status(WCSAdmin.java:951)
at com.cisco.packaging.WCSAdmin.status(WCSAdmin.java:856)
at com.cisco.packaging.KeyAdmin.checkServerUp(KeyAdmin.java:476)
at com.cisco.packaging.KeyAdmin.deleteCACertificate(KeyAdmin.java:596)
at com.cisco.packaging.KeyAdmin.runMain(KeyAdmin.java:320)
at com.cisco.packaging.KeyAdmin.main(KeyAdmin.java:632)
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:375)
at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:422)
at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:678)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:238)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1054)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:308)
... 15 more
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at oracle.net.nt.TcpNTAdapter.connect(TcpNTAdapter.java:209)
at oracle.net.nt.ConnOption.connect(ConnOption.java:123)
at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:353)
... 20 more
But I can't now anymore import my previously signed certificate, because it doesn't anymore match the key for tomcat
I guess this happened because I issued the command "ncs key deletecacert tomcat" command before.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: