|
Home > Archive > WebSphere HTTP Server > January 2004 > SSL0221E error, invalid date
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL0221E error, invalid date
|
|
|
| My 1.3.26 https servers have just of a sudden stopped working at Jan 8th, 1
a.m., with error message (can't really copy paste, but this is it):
SSL0221E handshake error, invalid date
I have AIX 4.3
I am quite sure nothing has changed about the date there, the date must be
ok.
Any ideas?, Please, help!!
Hana
| |
| kjvoogd 2004-01-19, 8:22 am |
| Hi,
We have the same problem. It started at:
[Thu Jan 8 01:00:53 2004] [error] mod_ibm_ssl: SSL Handshake Failed,
Invalid date.
If we put a self generated certificate as default it works fine. We
are going to 're-install' the old certificate to see if this will
solve our problem.
For now we blame our time server which was on Norfork time for one
reason or the other.
The strange thing is that all our webservers that are on this time
server have invalid certificates all of a sudden.
KJ
"Hana" <hana@srce.hr> wrote in message news:<bticrc$3t94$1@news.boulder.ibm.com>...quote:
> My 1.3.26 https servers have just of a sudden stopped working at Jan 8th, 1
> a.m., with error message (can't really copy paste, but this is it):
> SSL0221E handshake error, invalid date
>
> I have AIX 4.3
>
> I am quite sure nothing has changed about the date there, the date must be
> ok.
>
> Any ideas?, Please, help!!
>
>
>
> Hana
| |
|
| Hi Hana,
This is scary...at around the same time (midnight on 7th Jan GMT) one
of our web-servers failed with exactly the same error reported in the
web-server error log:
[error] SSL0221E: Handshake Failed, Invalid date.
[error] SSL0221E: Handshake Failed, Invalid date.
I've tried a full stop start but that doesn't help. The documenation
at
http://www-306.ibm.com/software/web...bm/9attroub.htm
suggests that the system date is set to an invalid date but this is
not true in my case. I've checked the systsem date and it's fine.
I've logged a PMR with IBM and will let you know if I get a result.
Good luck.....
| |
| Sunit Patke 2004-01-19, 8:22 am |
| Are you using SSL (HTTPS) by any chance. If yes and if you are using a
certificate from
VeriSign then your intermediate certificate from VeriSign has expired. This
is not the cert
for your site but certificate for VeriSign itself (was to expire 1/7/2004).
Get the new cert from VeriSign website (click on support).
Sunit
"Hana" <hana@srce.hr> wrote in message
news:bticrc$3t94$1@news.boulder.ibm.com...quote:
> My 1.3.26 https servers have just of a sudden stopped working at Jan 8th,
1quote:
> a.m., with error message (can't really copy paste, but this is it):
> SSL0221E handshake error, invalid date
>
> I have AIX 4.3
>
> I am quite sure nothing has changed about the date there, the date must be
> ok.
>
> Any ideas?, Please, help!!
>
>
>
> Hana
>
>
>
>
>
| |
|
| Unfortunately for us we do not have a copy of the KDB file containing
the original CSR. Given that once you install a server cert it
removes the original CSR I'm a bit stuck.
Personally I don't understand why IBM bother shipping the Verisign
Persona Not Validated CA certs when they conflict with the 3 other
Verisign Primart CA certs.
Does anyone know a way to remove the Persona Not Validated CA from the
KDB file without needing to reinstall any certs. I've tried deleting
all root CA signer certs except "Verisign Class 3 Public Primary
Certification Authority" but when I restart the web server I then get:
Handshake Failed, Certificate validation error.
Looks like a new cert will need to be requested from scratch :-(
| |
| Kevin Mitchell 2004-01-19, 8:22 am |
| The problem is that the Versign Public class 2 and 3 CA expired on
January 7th. New ones where issued in 1999, but it seems IBM is still
distributing the old ones.
Trying to get new ones now... Please post a working solution if anyone
fixes this before I can please 
"Hana" <hana@srce.hr> wrote in message news:<bticrc$3t94$1@news.boulder.ibm.com>...quote:
> My 1.3.26 https servers have just of a sudden stopped working at Jan 8th, 1
> a.m., with error message (can't really copy paste, but this is it):
> SSL0221E handshake error, invalid date
>
> I have AIX 4.3
>
> I am quite sure nothing has changed about the date there, the date must be
> ok.
>
> Any ideas?, Please, help!!
>
>
>
> Hana
| |
|
| OK Guys,
here is the fix, looks like verisign dropped the ball on this one and
released a new CA for you to import.
go here: http://www.verisign.com/support/site/caReplacement.html
stevoatwork@hotmail.com (Steve) wrote in message news:<d4e87e38.0401080154.19dea510@posting.google.com>...quote:
> Hi Hana,
>
> This is scary...at around the same time (midnight on 7th Jan GMT) one
> of our web-servers failed with exactly the same error reported in the
> web-server error log:
>
> [error] SSL0221E: Handshake Failed, Invalid date.
> [error] SSL0221E: Handshake Failed, Invalid date.
>
> I've tried a full stop start but that doesn't help. The documenation
> at
>
> http://www-306.ibm.com/software/web...bm/9attroub.htm
>
> suggests that the system date is set to an invalid date but this is
> not true in my case. I've checked the systsem date and it's fine.
>
> I've logged a PMR with IBM and will let you know if I get a result.
>
> Good luck.....
| |
| Richard 2004-01-19, 8:22 am |
| stevoatwork@hotmail.com (Steve) wrote in message news:<d4e87e38.0401080154.19dea510@posting.google.com>...quote:
> Hi Hana,
>
> This is scary...at around the same time (midnight on 7th Jan GMT) one
> of our web-servers failed with exactly the same error reported in the
> web-server error log:
>
> [error] SSL0221E: Handshake Failed, Invalid date.
> [error] SSL0221E: Handshake Failed, Invalid date.
>
> I've tried a full stop start but that doesn't help. The documenation
> at
>
> http://www-306.ibm.com/software/web...bm/9attroub.htm
>
> suggests that the system date is set to an invalid date but this is
> not true in my case. I've checked the systsem date and it's fine.
>
> I've logged a PMR with IBM and will let you know if I get a result.
>
> Good luck.....
We have the same problem, VeriSign's Global Server ID Intermediate
Root CA expired on 7th January 2004. You need to add the new CA.
http://www.verisign.com/support/ven...p-gsid-ssl.html
As far as I can make out you use IKEYMAN to add the certificate.
| |
| Kevin Mitchell 2004-01-19, 8:22 am |
| This was posted by IBM yesterday and seems to work. Waiting for
permission to restart the web server, but the certs seemed to update
fine.
http://www-1.ibm.com/support/docvie...8&cc=us&lang=en
cybrhippie@yahoo.com (Kevin Mitchell) wrote in message news:<477a0136.0401080824.52485a30@posting.google.com>...[QUOTE][color=darkred]
> The problem is that the Versign Public class 2 and 3 CA expired on
> January 7th. New ones where issued in 1999, but it seems IBM is still
> distributing the old ones.
>
>
> Trying to get new ones now... Please post a working solution if anyone
> fixes this before I can please
>
>
>
> "Hana" <hana@srce.hr> wrote in message news:<bticrc$3t94$1@news.boulder.ibm.com>...
| |
|
| Hi,
I am running IBM http server with websphere v5. I have an ikeyman
utility with the server software but not with the http server. I
followed the instructions listed, and ikeyman under the signer
section seems to take the new intermediate ca but the is no difference
with my web site. Does Verisign want us to re-install the certificate
request? I thought that I read somewhere that the intermediate CA had
to be installed before the response from Verisign is installed. I am
just a little frustrated and confused.
cybrhippie@yahoo.com (Kevin Mitchell) wrote in message news:<477a0136.0401090726.514fd6bc@posting.google.com>...[QUOTE][color=darkred]
> This was posted by IBM yesterday and seems to work. Waiting for
> permission to restart the web server, but the certs seemed to update
> fine.
>
> http://www-1.ibm.com/support/docvie...8&cc=us&lang=en
>
>
> cybrhippie@yahoo.com (Kevin Mitchell) wrote in message news:<477a0136.0401080824.52485a30@posting.google.com>...
| |
|
|
|
|
|