Thursday, June 9, 2022

Novell expired certificate/CA renew

 If you do not reboot your Novell for a long time (2+ years) on the next boot a lot of services do not start.

novell-os:~ # service --status-all|grep -i failed

namcd.service                                                                              loaded failed     failed       Novell Linux User Management(LUM)
novell-idsd.service                                                                        loaded failed     failed       Driver Store Daemon
novell-ipsmd.service                                                                       loaded failed     failed       Print Manager Daemon
novell-nss.service                                                                         loaded failed     failed       Novell Storage Services (NSS) file system.
novell-xregd.service                                                                       loaded failed     failed       Xtier registry daemon for OES
novell-xsrvd.service                                                                       loaded failed     failed       Xtier services daemon for OES
oes-cis-agent.service                                                                      loaded failed     failed       CIS agent for OES
oes-cis-recall-agent.service                                                               loaded failed     failed       CIS recall agent for OES
oes-cis-scanner.service                                                                    loaded failed     failed       CIS scanner for OES
smartd.service                                                                             loaded failed     failed       Self Monitoring and Reporting Technology (SMART) Daemon

Namcd could not be started:

novell-os:~ # service namcd restart
Job for namcd.service failed because the control process exited with error code. See "systemctl status namcd.service" and "journalctl -xe" for details.
novell-os:~ # systemctl status namcd.service
● namcd.service - Novell Linux User Management(LUM)
   Loaded: loaded (/usr/lib/systemd/system/namcd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2022-06-09 10:03:14 EEST; 6s ago
     Docs: man:namcd
  Process: 30651 ExecStopPost=/usr/bin/rm -f /var/lib/novell-lum/.flush_check_file (code=exited, status=0/SUCCESS)
  Process: 30679 ExecStart=/usr/sbin/namcd (code=exited, status=1/FAILURE)
  Process: 30675 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.flush_check_file (code=exited, status=0/SUCCESS)
  Process: 30671 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.refresh_info (code=exited, status=0/SUCCESS)
  Process: 30667 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.user_info.* (code=exited, status=0/SUCCESS)
  Process: 30663 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.group_info.* (code=exited, status=0/SUCCESS)
  Process: 30659 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.namcdnotloaded (code=exited, status=0/SUCCESS)
  Process: 30655 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.namcdloaded (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 512)

Most probably this is due to expired Certificate of Authority and/or server certificates. You can check certificate validity via iManager

If it says 'expired' then you will need to recreate all certificates
The problem is that if you do not delete old CA, you will always get error.

Here is how to delete server CA.

After that you can run this command to recreate all needed certificates:

novell-os:~ # ndsconfig upgrade

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:  novell-os.OU=Servers.O=STEMO_LTD.STEMOCO

Upgrading NetIQ eDirectory server with the following parameters, Please wait...
  Tree Name             : STEMOCO
  Server DN             : novell-os.OU=Servers.O=STEMO_LTD

  Configuration File    : /etc/opt/novell/eDirectory/conf/nds.conf
  Instance Location     : /var/opt/novell/eDirectory/data
  DIB Location          : /var/opt/novell/eDirectory/data/dib

Current env file will be backed-up in format env.current_date, any customizations done to env file need to be copied back to new env file from backed-up file.

Checking if server is ready to service requests... Done
Enter admin name with context[]:admin.stemo_context
Enter the password for admin.stemo_context:

Performing eDirectory health check...

Extending schema...
For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log

Configuring HTTP service... Done
Configuring LDAP service... Done
Configuring SNMP service... Done
Configuring SAS service... Failed to configure SAS service: no such attribute err=-603
An error has occured while configuring the NetIQ eDirectory Server. Please look /var/opt/novell/eDirectory/log/ndsd.log file for more information.

The instance at /etc/opt/novell/eDirectory/conf/nds.conf is upgraded successfully.

ERROR: /opt/novell/eDirectory/bin/ndsconfig return value = 74.

If you get this error it is because of expired and not deleted CA. If is says 'done' just restart your Novell server and everything is up and running again.

No comments: