Ichanged the SSL Certificate and Apache Can't Find the Server.crt file.

Answered Question
Aug 29th, 2007

I started having problems with the dcrserver and on this forum one of the recommendations was to change the ssl certificate. After I did that and restarted all the daemons, apache won't start and the error states that it cannot find the server.crt file. Is there any way to re-create the certificate through the cli? Since apache cannot start I can't do it through the web console. Any ideas?

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 9 years 3 months ago

Okay, do this. Move the other libeay32.dll and ssleay32.dll files to a directory NOT in your Path. This may not be possible as the files are loaded in memory. If you cannot do it, just reboot the machine, then try to move the files. NOTE: these files cannot be in C:\WINDOWS, C:\WINDOWS\system32, or C:\WINNT. Once the DLLs are in a non-Pathed directory, reboot the server [again], then you should be able to run the ConfigSSL.pl command successfully.

This DLL conflict is documented in CSCsg29627, and is fixed in LMS 3.0. A fix for 2.6 should be forthcoming in November.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
yjdabear Wed, 08/29/2007 - 06:33

Here's the only server.crt I find:

/opt/CSCOpx/MDC/Apache/conf/ssl/server.crt

Good luck with resurrecting Apache. I had problem with DCR not starting when upgrading from LMS 2.2, but was at least able to get into the LMS 2.6 web GUI to get a new cert generated.

carlos-baez Wed, 08/29/2007 - 06:38

I have two server.* under that directory but not the server.crt, strange.

Thank you for the post.

yjdabear Wed, 08/29/2007 - 06:45

Looks like configure-SSL.sh in that directory is the script that can be used to generate server.crt, along with a host of other server.* files.

-r-------- 1 casuser casusers 920 Feb 28 2007 server.cert

-r--r----- 1 casuser casusers 928 Jul 17 22:05 server.crt

-r-------- 1 casuser casusers 692 Jul 17 22:05 server.csr

-r-------- 1 casuser casusers 887 Jul 17 22:05 server.key

-r--r----- 1 casuser casusers 635 Jul 17 22:05 server.pk8

carlos-baez Wed, 08/29/2007 - 06:49

The problem is that this is a Windows 2000 box, so no shell scripts, there should be some perl script somewhere, but the ones named configuressl.pl and enablessl.pl (aproximate names from the top of my head) only enable or disable but don't create the cert.

carlos-baez Wed, 08/29/2007 - 07:46

I found the command, its a perl script named ConfigSSL.pl. I ran the script and followed all the instructions but when it was creating the certificates a pop-up windows came up saying "The ordinal 3288 could not be located in the dynamic link library LIBEAY32.dll". Clicking ok various times ended the process, but still no server.crt file is found. Here is the output of the command:

C:\PROGRA~1\CSCOpx\MDC\Apache>..\..\bin\perl ConfigSSL.pl -enable

SSL is already enabled

C:\PROGRA~1\CSCOpx\MDC\Apache>..\..\bin\perl ConfigSSL.pl -disable

SSL is disabled. Restart Daemon Manager to reflect the changes.

C:\PROGRA~1\CSCOpx\MDC\Apache>..\..\bin\perl ConfigSSL.pl -enable

You don't have a private key and/or certificate

*** Running key and certifcate generation utility ***

Please enter the following information. It is needed to generate your

temporary certificate

Country (2 letter code) : **

State or Province (full name) : **

Locality (eg, city) : **

Organisation (eg, company) : **

Organisation_unit (eg, company) : **

Host Name (eg, FQDN) : **

Enter e-mail address (eg, [email protected]) : *@*

*** Generating your RSA key pair. This may take a while, please wait. ***

*** Generating your temporary X.509 Certificate ***

*** Generating PKCS#8 version of private key ***

*** Generating server.csr file. ***

java.io.FileNotFoundException: C:/PROGRA~1/CSCOpx\MDC\Apache\conf\ssl\server.crt (The system cannot find the file specif

ied)

at java.io.FileInputStream.open(Native Method)

at java.io.FileInputStream.(FileInputStream.java:59)

at com.cisco.nm.cmf.ssl.CheckValidity.logCertValues(CheckValidity.java:91)

at com.cisco.nm.cmf.ssl.CheckValidity.main(CheckValidity.java:158)

[Wed Aug 29 11:22:27 VET 2007]Exception Caught : java.lang.NullPointerException

java.lang.NullPointerException

at com.cisco.nm.cmf.ssl.CheckValidity.logCertValues(CheckValidity.java:98)

at com.cisco.nm.cmf.ssl.CheckValidity.main(CheckValidity.java:158)

The following files have been created for SSL Communication

1. Server Private Key

C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.key

2. Server Certificate (Self Signed)

C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.crt

3. Certificate Signing Request file

C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.csr

4. Server Private Key(PKCS#8)

C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.pk8

IMPORTANT: Please backup the above files in a secured location

If you plan to get Certificates from third party CAs,

Please refer the Uploading Certificates section in User Guide or Online help.

It is important that you follow the steps mentioned in the documentation for uploading third party Certificates into Cis

coWorks' KeyStore.

SSL is enabled. Restart Daemon Manager to reflect the changes.

C:\PROGRA~1\CSCOpx\MDC\Apache>

carlos-baez Wed, 08/29/2007 - 07:57

I verified and there are two LIBEAY32.dll files on the box, one under bin and one under system32 and just by their filesize they are different and I assume that openssl.exe looks for the file under system32 as the default path for dlls. I'm going to change the dll and try again.

Joe Clarke Wed, 08/29/2007 - 08:57

You have a DLL conflict which is known to cause problems with LMS. The way to resolve this is to adjust your Path environment variable so that the directory that contains the CiscoWorks-installed libeay32.dll and ssleay32.dll comes before the other directory.

Then shutdown dmgtd.

Next, delete all of the NMSROOT\MDC\Apache\conf\ssl\server.* files, and run the following commands:

NMSROOT\bin\perl.exe NMSROOT\MDC\Apache\ConfigSSL.pl -disable

NMSROOT\bin\perl.exe NMSROOT\MDC\Apache\ConfigSSL.pl -enable

If you want to run in SSL mode, you're done. If you prefer not to run in SSL mode, then run the following command:

NMSROOT\bin\perl.exe NMSROOT\MDC\Apache\ConfigSSL.pl -disable

Finally, restart dmgtd.

carlos-baez Wed, 08/29/2007 - 09:46

No luck! The path is ok, the ciscoworks bin is first in order in respect to system32. I deleted the server.* files and ran the perl script but with the same results.

Correct Answer
Joe Clarke Wed, 08/29/2007 - 09:59

Okay, do this. Move the other libeay32.dll and ssleay32.dll files to a directory NOT in your Path. This may not be possible as the files are loaded in memory. If you cannot do it, just reboot the machine, then try to move the files. NOTE: these files cannot be in C:\WINDOWS, C:\WINDOWS\system32, or C:\WINNT. Once the DLLs are in a non-Pathed directory, reboot the server [again], then you should be able to run the ConfigSSL.pl command successfully.

This DLL conflict is documented in CSCsg29627, and is fixed in LMS 3.0. A fix for 2.6 should be forthcoming in November.

carlos-baez Wed, 08/29/2007 - 10:45

Now it worked, even the original dcr server error was resolved (the ssl was apparently the problem). I renamed the dlls before moving them out of the paths way and the script ran smoothly.

Thank you!

Actions

This Discussion