webNetwork will not start because AD ssl certificate has expired

webNetwork will not start because AD ssl certificate has expired

Customer restarted webnetwork and now it won’t start. It gives errors like :

FATAL (12/23) 11:19:23 [com.stoneware.service.DirectoryManager]: Unable to verify/extend schema.
javax.naming.CommunicationException: simple bind failed: 192.168.1.41:636 [Root
exception is java.net.SocketException: Software caused connection abort: recv failed]

If you disable SSL in the 8090 directory servics tab then it starts up fine.

Customer also tried using LDP.exe and that also gave a 0x51 error and cound not connect.
 

This means that your AD SSL Certificate root CA server has expired on your MS CA server. When the CA server is installed, it creates a Root CA Certificate and that has a 2 year expiration.

Explanation of the microsoft certificate authority, how to install, how to renew, etc... http://technet.microsoft.com/en-us/library/bb727098.aspx

Some of the errors you will see in the Event Viewer that indicate your SSL certificate has expired.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 12/23/2010
Time: 6:55:33 PM
User: N/A
Computer: APP1
Description:
The Certificate Services service terminated with service-specific error 2148204801 (0x800B0101).

Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 58
Date: 12/23/2010
Time: 7:19:54 PM
User: N/A
Computer: APP1
Description:
A certificate in the chain for CA certificate 0 for app1ca has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).


Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36872
Date: 12/23/2010
Time: 6:59:53 PM
User: N/A
Computer: APP1
Description:
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.


The following command can be run to validate the error code

J:>certutil -error 2148204801
0x800b0101 (-2146762495) -- 2148204801 (-2146762495)
Error message text: A required certificate is not within its validity period whe
n verifying against the current system clock or the timestamp in the signed file
.
CertUtil: -error command completed successfully.


To renew the ssl certificate, follow these instuctions, please refer to the following MS instructions for more indepth details : http://technet.microsoft.com/en-us/library/bb727098.aspx


Run mmc.exe
Click on File
Click Add/Remove Snapin
Click Add
Find Cerfiticate Authority
Choose local computer (if you are on the same server as the CA service)
Click Finish then Close then OK
Click + Certification Authority
You will probably see your server name with a red dot icon indicating the problem cert server.
Right-click the root node for the CA (Root CA), point to All Tasks, and then select Renew CA Certificate. This displays the Renew CA Certificate dialog box.
Right-click the root node again and in all tasks choose Start Service.


Now you should be able to run the certutil command with -cainfo and get back the proper results such as the example below :


J:>certutil -cainfo
Exit module count: 1
CA name: app1ca
Sanitized CA short name (DS name): app1ca
CA type: 0 -- Enterprise Root CA
ENUM_ENTERPRISE_ROOTCA -- 0
CA cert count: 2
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 4 -- Expired
CA cert[1]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert version[1]: 0x10001 (65537) -- V1.1
CA cert verify status[0]: 0x800b0101 (-2146762495)
CA cert verify status[1]: 0
CRL[0]: 4 -- Expired
CRL[1]: 3 -- Valid
CRL Publish Status[1]: 5
CPF_BASE -- 1
CPF_COMPLETE -- 4
Delta CRL Publish Status[1]: 6
CPF_DELTA -- 2
CPF_COMPLETE -- 4
DNS Name: app1.stoneware.com
Advanced Server: 0
CertUtil: -CAInfo command completed successfully.

Each DC should be tested using the Microsoft Ldp tool to verify that each DC has obtained a valid SSL Certificate. If you are unable to connect to a DC with ldp.exe then that DC should be restarted and retested. Any DC that fails with ldp.exe will cause problems for webNetwork.

 

    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • LanSchool Documentation Guides

        LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...

      • Lenovo Unified Workspace 7.0.1.41 Released

        Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...

      • Related Articles

      • Our SSL cert is expiring on our UW servers, can Lenovo Software help us renew that certificate?

        Issue SSL Certificate is expiring/expired on customer's Unified Workspace (formerly webNetwork) server(s). Solution Lenovo Software Support can assist you with renewing the SSL Certificate on your UW servers.  The only downtime required will be a ...

      • Move webNetwork to different server

        *** If you are moving to a different OS, please see : https://helpdesk.lenovosoftware.com/portal/kb/articles/migrate-webnetwork-to-windows-linux-22-8-2017 *** Keeping the same OS / version / IP As long as you are keeping the same OS/ version/IP then ...

      • Convert PFX certificate to JKS keystore using KeyStore Explorer

        Issue: Can we import the wildcard SSL Certificate we already have on our IIS server(s)? Solution: Please see the following documentation on how to convert a PFX certificate, exported from an IIS server, to a Java JKS keystore. Once you have your new ...

      • SSL certificate installation - part 2

        Problem:  Need to create and add new wildcard SSL certificate to Unified Workspace server. Prerequisite(s): Completed part 1 Access to keystore password Solution(s):  Below instructions will walk you through process of placing a new keystore on ...

      • DC won’t obtain SSL certificate automatically

        Customer installed Enterprise CA server in their AD forest and some Domain Controllers won’t pick up an SSL certificate.   The customer used LDP.exe to verify all of their DC to see if they had SSL enabled.  They found a DC that did not pick up an ...