Expired Certs for Apache

Similar Messages

• Verisign trial certs for Apache

  FYI...
  if you are using the Verisign 14-day trial certificates you will need to:
  1) download the trusted CA file for this particular trial cert (from verisign) http://www.verisign.com/server/trial/faq/index.html
  2) export the cert from your browser (.der encoded from Explorer).
  3) convert the .der to .pem using the WLS utility.
  4) define this converted file in the WLS SSP plug-in
  Just thought I'd post this since BEA support couldn't get to the heart of the matter and I saw no other postings referring to this. Of course who really cares about trial certs... ;-)

  On Thu, 20 Oct 2011 21:10:56 +0000, Craig Johnson wrote:
  > In article <lZYnq.119$[email protected]>, Bob Crandell
  > wrote:
  >> In digging around I found the cert had expired. I tried renewing it in
  >> iManager/Novell certificate Server but no joy. When I view the
  >> certificate, it still says "Expires on: 04/23/2010".
  >>
  > Did you restart apache or the server after renewing the certificates?
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  I restarted Apache but not the server.
  etc/init.d/apache2 stop
  /etc/init.d/novell-httpstkd stop
  /etc/init.d/novell-tomcat5 stop
  and
  /etc/init.d/novell-tomcat5 start
  /etc/init.d/novell-httpstkd start
  /etc/init.d/apache2 start
  So I should restart the server?
  Thanks

• Notification for expiring Certs on NW's TicketKeyStore

  Hi All,
    I saw there are several old posts discuss about setting up the notification for the expiring certs ( e.g. those certs on the Netweaver's TicketKeyStore ) but there is no standard solution / feature yet.
    Anyone have idea about this ? Or is this feature available in newer PI version ( newer NW version ... ? )
    Thanks.
  Best Regards,
  Ken Kwan

  Can you guys help?
  801072, user12038686, OIDM,

• Cannot set up certs for trusted CAs

  HI
  If i try to run my aplication I am getting the following exception
  ---------- JavaRun ----------
  subString1.3
  1.3........................1.3.1_07
  Exception occurred during event dispatching:
  java.lang.ExceptionInInitializerError: java.lang.SecurityException: Cannot set up certs for trusted CAs
  at javax.crypto.b.<clinit>([DashoPro-V1.2-120198])
  at javax.crypto.Cipher.getInstance([DashoPro-V1.2-120198])
  at EncryptionFactoryImpl.<init>(EncryptionFactoryImpl.java:74)
  at CheckXML.endElement(CheckXML.java:54)
  at org.apache.crimson.parser.Parser2.maybeElement(Parser2.java:1489)
  at org.apache.crimson.parser.Parser2.content(Parser2.java:1700)
  at org.apache.crimson.parser.Parser2.maybeElement(Parser2.java:1468)
  at org.apache.crimson.parser.Parser2.content(Parser2.java:1700)
  at org.apache.crimson.parser.Parser2.maybeElement(Parser2.java:1468)
  at org.apache.crimson.parser.Parser2.content(Parser2.java:1700)
  at org.apache.crimson.parser.Parser2.maybeElement(Parser2.java:1468)
  at org.apache.crimson.parser.Parser2.parseInternal(Parser2.java:499)
  at org.apache.crimson.parser.Parser2.parse(Parser2.java:304)
  at org.apache.crimson.parser.XMLReaderImpl.parse(XMLReaderImpl.java:433)
  at Authenticate.verify(Authenticate.java:29)
  at Login.actionPerformed(Login.java:112)
  at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1445)
  at javax.swing.AbstractButton$ForwardActionEvents.actionPerformed(AbstractButton.java:1499)
  at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:373)
  at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:245)
  at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:211)
  at java.awt.Component.processMouseEvent(Component.java:3710)
  at java.awt.Component.processEvent(Component.java:3539)
  at java.awt.Container.processEvent(Container.java:1159)
  at java.awt.Component.dispatchEventImpl(Component.java:2588)
  at java.awt.Container.dispatchEventImpl(Container.java:1208)
  at java.awt.Component.dispatchEvent(Component.java:2492)
  at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:2451)
  at java.awt.LightweightDispatcher.processMouseEvent(Container.java:2216)
  at java.awt.LightweightDispatcher.dispatchEvent(Container.java:2125)
  at java.awt.Container.dispatchEventImpl(Container.java:1195)
  at java.awt.Window.dispatchEventImpl(Window.java:923)
  at java.awt.Component.dispatchEvent(Component.java:2492)
  at java.awt.EventQueue.dispatchEvent(EventQueue.java:334)
  at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:126)
  at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:93)
  at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:88)
  at java.awt.EventDispatchThread.run(EventDispatchThread.java:80)
  Can someone tell me the solution for this , it is very urgent
  thanks in advance

  I got the exact same problem on my server yesterday (Aug 1st) after I restarted it. Apparently on July 28th 2005 the certificate that jce 1.2.1 crypto package uses expired. I was able to confirm this by setting the server clock back to before July 28th and everything worked fine. I updated to jce 1.2.2 (http://java.sun.com/security/index.jsp) and it resolved my problem.

• Why do i have more than one "Sites" cert after updateing and expired cert.Can i delete the expired cert?????

  Hi After getting the below message i updated my cert but now have 3 of the same certs? Can i delete the expired cert?????
  There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of SERVER.domainname.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the
  FQDN of SERVER.domainname.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
  I used "Get-ExchangeCertificate | Select CertificateDomains,Thumbprint,Status,Services | fl"
  to see which cert was expired
  I used "Get-ExchangeCertificate –Thumbprint 91D4C277BE4DF5FA15FC76D936375B7766ABCC23 | New-ExchangeCertificate" to replace the expired cert
  I re-ran "Get-ExchangeCertificate | Select CertificateDomains,Thumbprint,Status,Services | fl"
  to see if it had worked
  but now i have two certs one expired the other not. Can i delete the expired cert?????

  Hi 
  Yes you can delete the expired certificate which are showing  as it is not functional anymore and they remain as stale entries 
  You can use  below command
  Remove-ExchangeCertificate -Thumbprint "specify the value "
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com

• Build 9879. Can't ignore expired certs in IE 11

  The site for the VPN at my employer has an expired cert. Previously I was able to "Continue to this website (not recommended)" and continue on to the site to get VPN access.
  However, in the latest build of Windows 10 and IE 11, this option is gone. If you hit a site w/ an expired cert your only option is to close the page. This is unacceptable.
  Please let me know if there is a workaround, or provide a way to continue to the site in the very near future.
  B
  http://about.me/bc3tech

  Hi,
  I have confirmed this matter, the latest Windows 10 Technical Preview 9879 really has this phenomenon. But untill now, I doesn't find any solution or workaround method to access a website that restricted by cerficate problem.
  In my opinion, it's should a security improvement of IE 11, it would be better to renew the cert to access the website.
  Roger Lu
  TechNet Community Support
  Renewing the cert isn't an option for end users. Warn them, don't inhibit their experience. The warning that was in place before was perfect sufficient, as is the same thing
  all other browsers do.
  http://bc3te.ch/brandonh

• Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1

  Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1
  Does anybody has a working combination of the above ? I get a ID login page and after that I always get a access denied page. I get this exception on the agent logs:
  2004-10-14 16:28:00.917 Warning 6347:c1818 PolicyAgent: in get_cookie: no cooki
  e in ap_table
  2004-10-14 16:28:01.895 Warning 6359:c1818 PolicyAgent: Invalid URL for propert
  y (com.sun.am.policy.agents.accessDeniedURL) specified
  2004-10-14 16:28:56.742 Warning 6349:c1818 PolicyAgent: am_web_is_access_allowe
  d(http://xx.xx.xx.net:8080/, GET) denying access: status = access de
  nied (20)
  2004-10-14 16:28:56.743 128 6349:c1818 RemoteLog: User testuser1 was denie
  d access to http://xx.xx.xx.net:8080/.
  2004-10-14 16:28:56.831 -1 6349:c1818 PolicyAgent: URL Access Agent: acces
  s denied to testuser1
  We can ignore Invalid URL property part because its just looking for a custom url in place there. I have cookies enabled in my browser. I even turned on the prompt option. No luck yet.
  Any suggestions would be of great help.
  Thanks,
  Sunil.

  From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
  information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
  security.provider.1=sun.security.provider.Sun
  security.provider.2=com.ibm.crypto.provider.IBMJCE
  security.provider.3=com.ibm.jsse.IBMJSSEProvider
  security.provider.4=com.ibm.security.cert.IBMCertPath
  security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

• Cannot set up certs for trusted CAs  on JDeveloper1013

  Hi Guys,
  When I use Apache HTTPClient to Connect to URL with NTLM Auth,
  I have got this problem:
  "Cannot set up certs for trusted CAs"
  and "java.lang.SecurityException"
  However, my source works fine with JDeveloper1013 on Windows 2000.
  JDK 1.4,2
  When I run it on Windows XP Pro, I got above Exception.
  The same souce code:
  Good enviroment:
  Window 2000, JDK1.4.2_XXX
  JDeveloper 1013
  Bad enviroment:
  WindowsXP Pro, JDK1.4.2_XXX
  JDeveloper1013
  Any idea.
  Thanks in advanced
  Thanks

  I haven't messed with 1.3 versions, but in 1.4.2 and later, the jce jar files have to be in <jre>/lib/security rather than in the classpath.
  HTH,
  John

• How to install certs for web access

  Hi all: While I have done this several times using ConsoleOne in previous versions of GW, I cannot seem to find a good write-up on installing certificates for Web Access in GW 2014. I came across this TID (https://www.novell.com/support/kb/doc.php?id=7010584) but I am not sure this applies to Web Access. Can anyone point me to a How-To or TID which describes installing certs specifically for Web Access (2014)? We are running GW 2014.0.1 on an OES11 SP2 server.
  Thanks, Chris.

  Hi Chris,
  The TID you referenced in your first post also applies to WebAccess.
  When running GroupWise/WebAccess on OES/SLES/Linux, it's not really about doing something for GroupWise WebAccess, but about doing something for Apache. So you can approach this as a generic Apache thing.
  Originally Posted by cmosentine
  PS: Our certs are from GoDaddy. We have two files, ourdomain.crt and sf_bundle.crt. If I follow the TID I referenced, I am not sure where these should be placed in the configuration file.
  If you have those files you can add them to the apache2 configuration as the TID mentions.
  You are missing one file in your listing.... the key file. Without the key file, it won't work.
  If you have those three files on the webaccess server, simply add lines to the vhost file;
  SSLCertificateFile </path/to/ourdomain.crt)>
  SSLCertificateKeyFile </path/to/ourdomain.key)>
  SSLCertificateChainFile <path/to/sf_bundle.crt>
  Then reload Apache.
  Also make sure root is the only user that can read those files (mainly important to shield the key file used).
  If there are no errors upon reloading Apache, the new certificates should then be in use.
  In general, this blog post might give some more insight on the openssl process :https://www.digitalocean.com/communi...-keys-and-csrs
  There are many others that might explain it better.
  Cheers,
  Willem

• Dealing with Expired Certs in Mixed-Mode

  I have done a fair amount of research on this topic and while I have deployed mixed-mode clusters, I haven't had a situation quite like the one I need to contend with in the next couple of weeks. I am trying to be as prepared as possible and am looking for feedback on some procedures I am drafting.
  The situation:
  (4) node cluster (clustering over the WAN)
  TFTP is enabled on all nodes (that is going to change as a result of our assessment findings)
  Cluster is running in mixed-mode
  Most certificates on the Publisher node are expired
  tomcat cert
  ipsec cert
  host-name ipsec-trust cert
  call manager cert (callmanager.pem)
  CAPF cert
  CAPF trust cert
  One of the subscriber nodes is in the same boat as the Publisher node (they were deployed at the same time and were the first nodes in this cluster)
  The other two nodes (in a DR datacenter) have valid certificates  (until 2016) except for the publisher node server cert (which has expired)
  The publisher node and the subscriber node that has the expired certs were also installed without DNS being enabled (no domain and no DNS resolvers specified - therefore, I expect that DNS client was not enabled during install)
  It is worth noting the following:
  Customer enabled mixed-mode because one of the security folks got hot and heavy on encryption. However, they limited the scope to phones only. So, IP Phone to IP Phone == authenticated/encrypted. They have a Unity Connection system with secure ports and that is it. Gateways: no encryption. CCX, etc. == no encryption
  During discovery we also found that LSC distribution is fubar. Only a percentage of the phones are using LSC. Likely due to a flaw in the provisioning process. That will be addressed later.
  The version they are running is 6.1(3)  (base, no service releases)
  The goal: Get the present solution into a VMware environment running CUCM 9.1(2). Planning on doing the Jump Upgrade procedure (interim hop to 6.1.4).
  We found out about the certificate issues during our discovery phase. We have built in time to remediate the certificate issue.
  The plan (well, thus far). I am still pulling together my notes and trying to come up with a way to test an implementation plan off line so that I can avoid bricking the phones (they are spread all over north america).
  Here is the 10,000 foot view of the plan (obviously, the actually plan will be more detailed):
  Use BAT to disable phone security and uninstall LSC
  Security Profile mod
  Certificate Ops
  Reset phones
  DRS Back up
  Download/backup current certs
  Configure DNS
  set DNS domain name
  set DNS resolver (primary and secondary)
  Pub node:
  regenerate tomcat cert
  restart tomcat service
  regenerate ipsec.pem
  regenerate callmanager.pem
  regenerate capf.pem
  Sub node (repeat above)
  ?should we update the Subs not affected by the cert issue?
  Run the CTL client and update CTL
  Reboot servers
  Pub then Subs
  Phones will reset as a result of this process
  The customer has said that they are actually fine with the idea of going back to square one and start over with provisioning a secured (mixed-mode) cluster after the 9.1 upgrade. That would be great except that if I uninstall LSCs, change phones to non-secure, and use CTL client to change back to standard-mode, I still have the CTLs left on the phones. No way to bulk delete them in UCM. I am considering using something like UnfiedFX to help me get back to square 1. Right now, I consider this a plan B. Unless feedback to this thread and other research suggests a different tact.
  Thanks in advance for any assist.
  -Bill

  Hi William,
  You have a quite a few requirements here. Just to clear things up, there are two type of certificates, first is called "certificate trust", and the other is called "Certificate".  For the trust certificates such as Callmanager_trust you can just click on the certificate, make sure that it is expired, and then delete it. this has no impact on the phones. The other type of certificate is called "Certs", you will need to regenerate those certificates, This will regenerate the certificate and also recreates the new "CAPF-trust" or "CallManager-trust" certificates with new date/time ranges.
  Doing the above will not impact the phones are the services, however after regenerating the certificates, you will need to restart all the services related to this certificate, for example if you regenerate the tftp certificate, you will need to restart the tftp service on all the servers in the cluster. Same for the Callmanager and the Tomcat.
  Please note that whenever you regenerate the Call manager certificate, you will need to run the CTL client with the same Token you used when the server was changed to mixed mode.
  In General the below is the procedure to regenerate the certificate
  - log into the "Cisco Unified OS Administration" page of the publisher
  - choose Security>Certificate Management
  - click the link for the expiring certificate
  - click "Regenerate"
  - restart the service that uses the certificate
  That will regenerate the certificate on the publisher. Within the next
  10-15 minutes, the updated certificate will  be propagated
  to the subscribers.
  For more details you could refer to :
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/6_1_1/cucos/iptpch6.html#wp1040760
  http://www.cisco.com/en/US/prod/collateral/voicesw/direct_upgrade_procedure_for_cisco_unified_communications_manager_releases_6.1_2.pdf
  Hope this Helps!
  Regards,
  Karthik Sivaram

• Weblogic identity assertion provider for apache

  I am using apache reverse proxy to handle the user authentication. My work env. is
  a) apache reverse proxy
  b) mod_auth_tkt (single sign on module for apache)
  c) weblogic portal server
  once the user is authenticated against mod_auth_tkt/active directory, apache generates cookie/ticket based on MD5 checksum.
  I need to pass the credentials from apache to weblogic.
  My question is
  a) Can I use any weblogic identity assertion provider which comes weblogic server product or do i have to develop custom weblogic identity assertion provider. Please advise
  Thanks
  Prabu

  *1-Can you please double check that your latest version of your web application is deployed ?*
  I have checked the application and can confirm that the correct application is deployed. With the auth-method as just BASIC (no CLIENT-CERT) I see the following behaviour:
  - With a Negotiate Identity Asserter Provider I see both WWW-Authenticate: Negotiate and WWW-Authenticate: Basic
  - Without a Negotiate Identity Asserter Provider I see just WWW-Authenticate: Basic
  *2-I believe there is no intermediary web server (like IIS) between your client and WLS ? A third part may add additional authentication request in the http header. If there is an intermediary exist, can you please avoid it for your tests.*
  I can confirm that there is no intermediary server between me and Weblogic.
  *3-Can you please check "weblogic.security.enableNegotiate" system parameter value. If it is true can you please set it to false and test your app again ?*
  I have weblogic.security.enableNegotiate set to true. I tried setting it to false and it seems I still see the same behaviour I described above in my answer to question 1.
  *3-Although I'm quite sure that Negotiate Identity Assertion Provider would not work for your app, can you please remove it and repeat your tests again. If you detect that it's because of the Negotiate Identity Assertion Provider, that you can consider open a bug request in Oracle Support system.*
  When I remove the Negotiate Identity Assertion Provider, I no longer see a WWW-Authenticate: Negotiate challenge in the response.
  Edited by: user1992925 on 16/05/2010 17:06

• Certificate renewed, clients offered expired cert

  Renewed our cert with GoDaddy, went into Server Admin and added the new one per instructions. Removed old cert and checked that all services are now using the new one.  So far, so good.
  Here's the fun part - the server is showing a two-year-old expired cert to OD users.  This manifests itself as a dialog when launching iCal: "iCal can't verify the identity of the server example.com"
  I seem to recall stumbling across a post somewhere regarding OD / LDAP where there were a few terminal commands required to complete the cert update.
  Any clues?
  Thanks!

  UPDATE:
  It appears to be some kind of Apache / Apache2 problem....  still digging.
  Oddly, /etc/certificates now contains another group of 4 .pem files, which are directly referenced by servermgr_web_apache2_config.plist
  These files were not here yesterday, and based on their date stamp, these are the expired cert files.  I cannot assign the new cert in Server Admin, and I cannot edit the .plist manually.  More precisely, I can edit the plist, but something keeps re-writing the old value back into the file.  Server Admin will let me select the new cert, but when I attempt to save the change, I get this error:
  More to come, I'm sure.
  ;o)

• Using keytool to generate self signed cert. for Microsft Certificate Mrg.

  Hi All,
  I want to be able to generate a self signed certificate that I can Import into
  Microsoft's Certificate Manager, to enable an HTTPS Listener for
  Microsoft's WinRM and WinRS.
  The certificate would only be for internal use, not used externally.
  Here's the problem. I can create a certificate using this (path obscured):
  "C:\Program Files\.....\jre\bin\keytool" -genkey -al
  ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
  53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
  \......\jre\lib\keystore\.keystore" -storepass changeit
  "C:\Program Files\......\jre\bin\keytool" -export -alias dMob
  X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
  etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
  keystore" -storepass changeit -v
  Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
  Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
  The WS-Management service cannot find the certificate that was requested.
  If I use another tool, like selfssl, I can generate a self signed certificate using:
  selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
  This will populate a certificate in Trusted Root Certification Authorities,
  and when I run the command to create the HTTPS Listener, it succeeds with
  no problem.
  So my question is, am I doing something wrong with keytool, or are there
  extra steps that I need to take, or is it even capable of generating a "self signed
  certificate" that will work in the above case?
  There are some concepts involved, certificate wise, that I'm not sure about.
  Do I need to create a CSR and use a tool like openssl, as a CA, and
  use the resulting certificate?
  I just want to be able to programmatically create the needed certificate using keytool, or
  using an API.
  Thanks,

  Download the latest JDK on http://download.java.net/jdk7/binaries/.
  Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma).

• Problem With Policy Agent 2.2 for APACHE on WINDOWS !!!!

  I have been getting a nasty error for weeks configuring PolicyAgent 2.2 for Apache (tried 2.2.x and 2.0.x) on a Windows Server. After the configuring apache could not even start. I get the following error :
  Syntax error on line 1 of "C:/Sun/Access_Manager/Agents/2.2/apache/config/apache_80/dsame.conf":
  Cannot load C:/Sun/Access_Manager/Agents/2.2/apache/bin/libamapc2.dll into server. The specified module does not exist
  Does anyone have any ideas? (I have been pulling my hair off trying to resolve this and I am about to lift up the server and drop it !!! ) The dll file above is available in that path.
  Message was edited by:
  lreju

  This dll file may need/depend other dlls. So sometimes you may still get this error after you download the dll into your windows system folder. But you can use a tool such as http://www.dependencywalker.com to find out which other dlls are needed for your installation....Hope this helps someone !!!

• I'd like to disable my expired trial for adobe acrobat pro XI because I can no longer view pdfs without getting a subscription

  I'd like to disable my expired trial for adobe acrobat pro XI because I can no longer view pdfs without getting a subscription

  Un-install Adobe Acrobat and repair the installation of Adobe Reader.