08-29-2007 05:59 AM
I started having problems with the dcrserver and on this forum one of the recommendations was to change the ssl certificate. After I did that and restarted all the daemons, apache won't start and the error states that it cannot find the server.crt file. Is there any way to re-create the certificate through the cli? Since apache cannot start I can't do it through the web console. Any ideas?
Solved! Go to Solution.
08-29-2007 09:59 AM
Okay, do this. Move the other libeay32.dll and ssleay32.dll files to a directory NOT in your Path. This may not be possible as the files are loaded in memory. If you cannot do it, just reboot the machine, then try to move the files. NOTE: these files cannot be in C:\WINDOWS, C:\WINDOWS\system32, or C:\WINNT. Once the DLLs are in a non-Pathed directory, reboot the server [again], then you should be able to run the ConfigSSL.pl command successfully.
This DLL conflict is documented in CSCsg29627, and is fixed in LMS 3.0. A fix for 2.6 should be forthcoming in November.
08-29-2007 06:33 AM
Here's the only server.crt I find:
/opt/CSCOpx/MDC/Apache/conf/ssl/server.crt
Good luck with resurrecting Apache. I had problem with DCR not starting when upgrading from LMS 2.2, but was at least able to get into the LMS 2.6 web GUI to get a new cert generated.
08-29-2007 06:38 AM
I have two server.* under that directory but not the server.crt, strange.
Thank you for the post.
08-29-2007 06:45 AM
Looks like configure-SSL.sh in that directory is the script that can be used to generate server.crt, along with a host of other server.* files.
-r-------- 1 casuser casusers 920 Feb 28 2007 server.cert
-r--r----- 1 casuser casusers 928 Jul 17 22:05 server.crt
-r-------- 1 casuser casusers 692 Jul 17 22:05 server.csr
-r-------- 1 casuser casusers 887 Jul 17 22:05 server.key
-r--r----- 1 casuser casusers 635 Jul 17 22:05 server.pk8
08-29-2007 06:49 AM
The problem is that this is a Windows 2000 box, so no shell scripts, there should be some perl script somewhere, but the ones named configuressl.pl and enablessl.pl (aproximate names from the top of my head) only enable or disable but don't create the cert.
08-29-2007 07:46 AM
I found the command, its a perl script named ConfigSSL.pl. I ran the script and followed all the instructions but when it was creating the certificates a pop-up windows came up saying "The ordinal 3288 could not be located in the dynamic link library LIBEAY32.dll". Clicking ok various times ended the process, but still no server.crt file is found. Here is the output of the command:
C:\PROGRA~1\CSCOpx\MDC\Apache>..\..\bin\perl ConfigSSL.pl -enable
SSL is already enabled
C:\PROGRA~1\CSCOpx\MDC\Apache>..\..\bin\perl ConfigSSL.pl -disable
SSL is disabled. Restart Daemon Manager to reflect the changes.
C:\PROGRA~1\CSCOpx\MDC\Apache>..\..\bin\perl ConfigSSL.pl -enable
You don't have a private key and/or certificate
*** Running key and certifcate generation utility ***
Please enter the following information. It is needed to generate your
temporary certificate
Country (2 letter code) : **
State or Province (full name) : **
Locality (eg, city) : **
Organisation (eg, company) : **
Organisation_unit (eg, company) : **
Host Name (eg, FQDN) : **
Enter e-mail address (eg, your_name@domain.com) : *@*
*** Generating your RSA key pair. This may take a while, please wait. ***
*** Generating your temporary X.509 Certificate ***
*** Generating PKCS#8 version of private key ***
*** Generating server.csr file. ***
java.io.FileNotFoundException: C:/PROGRA~1/CSCOpx\MDC\Apache\conf\ssl\server.crt (The system cannot find the file specif
ied)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.
at com.cisco.nm.cmf.ssl.CheckValidity.logCertValues(CheckValidity.java:91)
at com.cisco.nm.cmf.ssl.CheckValidity.main(CheckValidity.java:158)
[Wed Aug 29 11:22:27 VET 2007]Exception Caught : java.lang.NullPointerException
java.lang.NullPointerException
at com.cisco.nm.cmf.ssl.CheckValidity.logCertValues(CheckValidity.java:98)
at com.cisco.nm.cmf.ssl.CheckValidity.main(CheckValidity.java:158)
The following files have been created for SSL Communication
1. Server Private Key
C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.key
2. Server Certificate (Self Signed)
C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.crt
3. Certificate Signing Request file
C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.csr
4. Server Private Key(PKCS#8)
C:\PROGRA~1\CSCOpx\MDC\Apache\conf\ssl\server.pk8
IMPORTANT: Please backup the above files in a secured location
If you plan to get Certificates from third party CAs,
Please refer the Uploading Certificates section in User Guide or Online help.
It is important that you follow the steps mentioned in the documentation for uploading third party Certificates into Cis
coWorks' KeyStore.
SSL is enabled. Restart Daemon Manager to reflect the changes.
C:\PROGRA~1\CSCOpx\MDC\Apache>
08-29-2007 07:57 AM
I verified and there are two LIBEAY32.dll files on the box, one under bin and one under system32 and just by their filesize they are different and I assume that openssl.exe looks for the file under system32 as the default path for dlls. I'm going to change the dll and try again.
08-29-2007 08:57 AM
You have a DLL conflict which is known to cause problems with LMS. The way to resolve this is to adjust your Path environment variable so that the directory that contains the CiscoWorks-installed libeay32.dll and ssleay32.dll comes before the other directory.
Then shutdown dmgtd.
Next, delete all of the NMSROOT\MDC\Apache\conf\ssl\server.* files, and run the following commands:
NMSROOT\bin\perl.exe NMSROOT\MDC\Apache\ConfigSSL.pl -disable
NMSROOT\bin\perl.exe NMSROOT\MDC\Apache\ConfigSSL.pl -enable
If you want to run in SSL mode, you're done. If you prefer not to run in SSL mode, then run the following command:
NMSROOT\bin\perl.exe NMSROOT\MDC\Apache\ConfigSSL.pl -disable
Finally, restart dmgtd.
08-29-2007 09:46 AM
No luck! The path is ok, the ciscoworks bin is first in order in respect to system32. I deleted the server.* files and ran the perl script but with the same results.
08-29-2007 09:50 AM
Are you still getting the DLL error when running ConfigSSL.pl?
08-29-2007 09:51 AM
Yes, the same popup.
08-29-2007 09:59 AM
Okay, do this. Move the other libeay32.dll and ssleay32.dll files to a directory NOT in your Path. This may not be possible as the files are loaded in memory. If you cannot do it, just reboot the machine, then try to move the files. NOTE: these files cannot be in C:\WINDOWS, C:\WINDOWS\system32, or C:\WINNT. Once the DLLs are in a non-Pathed directory, reboot the server [again], then you should be able to run the ConfigSSL.pl command successfully.
This DLL conflict is documented in CSCsg29627, and is fixed in LMS 3.0. A fix for 2.6 should be forthcoming in November.
08-29-2007 10:45 AM
Now it worked, even the original dcr server error was resolved (the ssl was apparently the problem). I renamed the dlls before moving them out of the paths way and the script ran smoothly.
Thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: