webNetwork will not start because AD ssl certificate has expired

webNetwork will not start because AD ssl certificate has expired

Customer restarted webnetwork and now it won’t start. It gives errors like :

FATAL (12/23) 11:19:23 [com.stoneware.service.DirectoryManager]: Unable to verify/extend schema.
javax.naming.CommunicationException: simple bind failed: 192.168.1.41:636 [Root
exception is java.net.SocketException: Software caused connection abort: recv failed]

If you disable SSL in the 8090 directory servics tab then it starts up fine.

Customer also tried using LDP.exe and that also gave a 0x51 error and cound not connect.
 

This means that your AD SSL Certificate root CA server has expired on your MS CA server. When the CA server is installed, it creates a Root CA Certificate and that has a 2 year expiration.

Explanation of the microsoft certificate authority, how to install, how to renew, etc... http://technet.microsoft.com/en-us/library/bb727098.aspx

Some of the errors you will see in the Event Viewer that indicate your SSL certificate has expired.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 12/23/2010
Time: 6:55:33 PM
User: N/A
Computer: APP1
Description:
The Certificate Services service terminated with service-specific error 2148204801 (0x800B0101).

Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 58
Date: 12/23/2010
Time: 7:19:54 PM
User: N/A
Computer: APP1
Description:
A certificate in the chain for CA certificate 0 for app1ca has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).


Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36872
Date: 12/23/2010
Time: 6:59:53 PM
User: N/A
Computer: APP1
Description:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.


The following command can be run to validate the error code

J:>certutil -error 2148204801
0x800b0101 (-2146762495) -- 2148204801 (-2146762495)
Error message text: A required certificate is not within its validity period whe
n verifying against the current system clock or the timestamp in the signed file
.
CertUtil: -error command completed successfully.


To renew the ssl certificate, follow these instuctions, please refer to the following MS instructions for more indepth details : http://technet.microsoft.com/en-us/library/bb727098.aspx


Run mmc.exe
Click on File
Click Add/Remove Snapin
Click Add
Find Cerfiticate Authority
Choose local computer (if you are on the same server as the CA service)
Click Finish then Close then OK
Click + Certification Authority
You will probably see your server name with a red dot icon indicating the problem cert server.
Right-click the root node for the CA (Root CA), point to All Tasks, and then select Renew CA Certificate. This displays the Renew CA Certificate dialog box.
Right-click the root node again and in all tasks choose Start Service.


Now you should be able to run the certutil command with -cainfo and get back the proper results such as the example below :


J:>certutil -cainfo
Exit module count: 1
CA name: app1ca
Sanitized CA short name (DS name): app1ca
CA type: 0 -- Enterprise Root CA
ENUM_ENTERPRISE_ROOTCA -- 0
CA cert count: 2
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 4 -- Expired
CA cert[1]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert version[1]: 0x10001 (65537) -- V1.1
CA cert verify status[0]: 0x800b0101 (-2146762495)
CA cert verify status[1]: 0
CRL[0]: 4 -- Expired
CRL[1]: 3 -- Valid
CRL Publish Status[1]: 5
CPF_BASE -- 1
CPF_COMPLETE -- 4
Delta CRL Publish Status[1]: 6
CPF_DELTA -- 2
CPF_COMPLETE -- 4
DNS Name: app1.stoneware.com
Advanced Server: 0
CertUtil: -CAInfo command completed successfully.

Each DC should be tested using the Microsoft Ldp tool to verify that each DC has obtained a valid SSL Certificate. If you are unable to connect to a DC with ldp.exe then that DC should be restarted and retested. Any DC that fails with ldp.exe will cause problems for webNetwork.

 

    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Change Reset Password Button Text

        Change the text of the "Reset Password" button on the UW Login Page How to change the text of the Reset Password button on the Login Page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants ...

      • Remove Reset Password Button From Login Page

        Remove the Reset Password Button from the Login Page How to remove the Reset Password button from the Unified Workspace login page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants Expand ...

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        As of January 31st 2024, Lenovo Unified Workspace (formerly Stoneware WebNetwork) is no longer supported. This means that we no longer provide licenses, downloads, updates, patches, or technical assistance for this product. If you have any questions ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • Related Articles

      • Move webNetwork to different server

        *** If you are moving to a different OS, please see : https://helpdesk.lenovosoftware.com/portal/kb/articles/migrate-webnetwork-to-windows-linux-22-8-2017 *** Keeping the same OS / version / IP As long as you are keeping the same OS/ version/IP then ...

      • Convert PFX certificate to JKS keystore using KeyStore Explorer

        Issue: Can we import the wildcard SSL Certificate we already have on our IIS server(s)? Solution: Please see the following documentation on how to convert a PFX certificate, exported from an IIS server, to a Java JKS keystore. Once you have your new ...

      • SSL certificate installation - part 2

        Problem:  Need to create and add new wildcard SSL certificate to Unified Workspace server. Prerequisite(s): Completed part 1 Access to keystore password Solution(s):  Below instructions will walk you through process of placing a new keystore on ...

      • DC won’t obtain SSL certificate automatically

        Customer installed Enterprise CA server in their AD forest and some Domain Controllers won’t pick up an SSL certificate.   The customer used LDP.exe to verify all of their DC to see if they had SSL enabled.  They found a DC that did not pick up an ...

      • Generate new SAML webApp SSL Certificate

        Issue SSL Certificate used by a SAML webApp has expired and needs to be updated. Solution The admin will need to generate a new certificate, through the webAdmin Dashboard, and provide it to the Application Provider. Open webAdmin Dashboard. Expand ...