Hi, I'm running NW 6.5 with SP5

Don't often do much with the server, it just sits there and works and
it's nearly a year since I had to anything but change backup tapes, so
apologies if this is a bit Dumb...

Server went down on Monday from a power outage, coming back up all seems
more or less as it should be, but I can't connect to the usual web pages
it (should be) serving any more.  Something must be running web-wise, as
I can connect to http://my.server:8008 for admin, and that's all there
as expected, but http://my.server just tells me it can't connect.

I've stopped and started Apache2 (ap2webdn and ap2webup), but still no
sign of the web pages...

Only changes I made to the basic setup were changing DocumentRoot in
httpd.conf, and where it's pointing to is there...

Any ideas, or a step by step troubleshoot guide to point me at?
Previous work on this is very limited, as it used to just work when the
server came up.

Thanks, Pete.
--
Peter Clinch                    Medical Physics IT Officer
Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
net p.j.clinch@dundee.ac.uk     http://www.dundee.ac.uk/~pjclinch/

[ Post a follow-up to this message ]

On Mar 22, 10:25 am, Peter Clinch <p.j.cli...@dundee.ac.uk> wrote:
> Hi, I'm running NW 6.5 withSP5
>
> Don't often do much with the server, it just sits there and works and
> it's nearly a year since I had to anything but change backup tapes, so
> apologies if this is a bit Dumb...
>
> Server went down on Monday from a power outage, coming back up all seems
> more or less as it should be, but I can't connect to the usual web pages
> it (should be) serving any more.  Something must be running web-wise, as
> I can connect tohttp://my.server:8008for admin, and that's all there
> as expected, buthttp://my.serverjust tells me it can't connect.
>
> I've stopped and started Apache2 (ap2webdn and ap2webup), but still no
> sign of the web pages...
>
> Only changes I made to the basic setup were changing DocumentRoot in
> httpd.conf, and where it's pointing to is there...
>
> Any ideas, or a step by step troubleshoot guide to point me at?
> Previous work on this is very limited, as it used to just work when the
> server came up.
>
> Thanks, Pete.
> --
> Peter Clinch                    Medical Physics IT Officer
> Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
> Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
> net p.j.cli...@dundee.ac.uk    http://www.dundee.ac.uk/~pjclinch/

Pete,

You might have a problem with your certificates. Take a look at Novell
TID 3209228. Make sure you run tckeygen after recreating any certs
with pkidiag, and before restarting the server.

Martin

[ Post a follow-up to this message ]

martins_uk wrote:

> You might have a problem with your certificates. Take a look at Novell
> TID 3209228. Make sure you run tckeygen after recreating any certs
> with pkidiag, and before restarting the server.

Thanks for the pointer...

It says to log in as Admin... do I need admin rights to *everything*, or
just my bit of the tree including this server? (I have the latter, not
the former, but I can borow the former if I ask nicely.)

Running PKIDIAG as suggested as my local admin user, and doing 4, 5, 6
and 0, I end up seeing :

Step 6 Creating IP and DNS certificates if necessary.
--> Number of server IP addresses = 1
--> The default IP address is [my IP address]
PROBLEM: The KMO SSL Certificate IP has expired.
--> The KMO SSL CertificateIP's IP address is [my IP address].0=.[tr
ee].
----> The IP addresses match.
Step 6 failed -608.

Doesn't look too clever! any suggestions please?

ta, Pete.
--
Peter Clinch                    Medical Physics IT Officer
Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
net p.j.clinch@dundee.ac.uk     http://www.dundee.ac.uk/~pjclinch/

[ Post a follow-up to this message ]

On Mar 22, 2:48 pm, Peter Clinch <p.j.cli...@dundee.ac.uk> wrote:
> ande...@nomail.to.me wrote: 
>
> See other reply for fun with PKIDIAG
>
> Startup.err is an empty file, so no clues in there.
>
> Though Apache2.NLM appears to load (with a green [ OK ] when I call
> ap2webup), it doesn't seem to be in the Loaded Modules list on the
> Monitor, and ap2webdn notes that APACHE2 is NOT loaded when I call that.
>
> thanks for the input,
> Pete.
> --
> Peter Clinch                    Medical Physics IT Officer
> Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
> Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
> net p.j.cli...@dundee.ac.uk    http://www.dundee.ac.uk/~pjclinch/

Pete,

Well, at least pkidiag confirms that your certificates have expired,
so we need to get them fixed, then run tckeygen, to (hopefully) fix
all your webby stuff.

Ensure that your servers are all time and DS sync'd. Also make sure
that your server can see the CA server for the tree.

You should only need admin rights to the container in which the server
resides, but if you can get hold of the tree admin account then try
logging into pkidiag with that.

You might also want to download the latest pkidiag.nlm from Novell's
download pages (dated 15/02/2007).

Martin

[ Post a follow-up to this message ]

martins_uk wrote:

> Well, at least pkidiag confirms that your certificates have expired,
> so we need to get them fixed, then run tckeygen, to (hopefully) fix
> all your webby stuff.
>
> Ensure that your servers are all time and DS sync'd. Also make sure
> that your server can see the CA server for the tree.
>
> You should only need admin rights to the container in which the server
> resides, but if you can get hold of the tree admin account then try
> logging into pkidiag with that.
>
> You might also want to download the latest pkidiag.nlm from Novell's
> download pages (dated 15/02/2007).

Thanks for that, I'll download the latest version and fiddle over the
weekend when I can take things up and down without getting folk miffed,
and report back after that...

cheers, Pete.
--
Peter Clinch                    Medical Physics IT Officer
Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
net p.j.clinch@dundee.ac.uk     http://www.dundee.ac.uk/~pjclinch/

[ Post a follow-up to this message ]

martins_uk wrote:

> Well, at least pkidiag confirms that your certificates have expired,
> so we need to get them fixed, then run tckeygen, to (hopefully) fix
> all your webby stuff.

Having entered tckeygen at the console prompt, I rebooted but when it
came back up, pretty much as before: PKIDIAG (the latest one) still says
the same thing's borken as before.  Still get Step 6 failed -603
attemtping the PKIDIAG.

> Ensure that your servers are all time and DS sync'd. Also make sure
> that your server can see the CA server for the tree.

Working from DSRepair, it seems to be time synced, and a full unattended
repair of the DS reports nothing amiss.  I'm afraid I need acronym help
with "CA server" :-(

> You should only need admin rights to the container in which the server
> resides, but if you can get hold of the tree admin account then try
> logging into pkidiag with that.

Didn't manage to borrow the Boss password before the weekend, so I just
did it with my local container admin pwd, though as above, no joy.

Bah!

Pete.
--
Peter Clinch                    Medical Physics IT Officer
Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
net p.j.clinch@dundee.ac.uk     http://www.dundee.ac.uk/~pjclinch/

[ Post a follow-up to this message ]

On Mar 24, 2:29 pm, Peter Clinch <p.j.cli...@dundee.ac.uk> wrote:
> martins_uk wrote: 
>
> Having entered tckeygen at the console prompt, I rebooted but when it
> came back up, pretty much as before: PKIDIAG (the latest one) still says
> the same thing's borken as before.  Still get Step 6 failed -603
> attemtping the PKIDIAG.
>

If thats an error "-603" (your earlier post reported error "-608"),
then it could be a rights issue. You need to get hold of an admin
account with sufficient rights to the server object (tree admin should
do nicely). You then need to get pkidiag to successfully recreate the
certs, then run tckeygen, then restart the server.
 
>
> Working from DSRepair, it seems to be time synced, and a full unattended
> repair of the DS reports nothing amiss.  I'm afraid I need acronym help
> with "CA server" :-(
>

The CA server is the certificate authority server for your tree. It
issues certs for the other servers in the tree.
 
>
> Didn't manage to borrow the Boss password before the weekend, so I just
> did it with my local container admin pwd, though as above, no joy.
>
As above, it sounds as though your local admin account has some rights
restrictions. Get hold of the tree admin account, or get the people
who manage the tree to run pkidiag on your server for you.

> Bah!
>
> Pete.
> --
> Peter Clinch                    Medical Physics IT Officer
> Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
> Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
> net p.j.cli...@dundee.ac.uk    http://www.dundee.ac.uk/~pjclinch/

[ Post a follow-up to this message ]

martins_uk wrote:

> If thats an error "-603" (your earlier post reported error "-608"),
> then it could be a rights issue. You need to get hold of an admin
> account with sufficient rights to the server object (tree admin should
> do nicely). You then need to get pkidiag to successfully recreate the
> certs, then run tckeygen, then restart the server.

Thanks again for the input, I'll borrow the God account and see how it
goes, and report back.  System has a major core upgrade Weds. morning so
everything will have to come down then anyway, which would seem to be a
good opportunity without interrupting folk...

Ta, Pete.
--
Peter Clinch                    Medical Physics IT Officer
Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
net p.j.clinch@dundee.ac.uk     http://www.dundee.ac.uk/~pjclinch/

[ Post a follow-up to this message ]

martins_uk wrote:

> If thats an error "-603" (your earlier post reported error "-608"),
> then it could be a rights issue. You need to get hold of an admin
> account with sufficient rights to the server object (tree admin should
> do nicely). You then need to get pkidiag to successfully recreate the
> certs, then run tckeygen, then restart the server.

Borrowed the top level Admin account to run PKIDIAG, but still no joy :-(

In diagnostic mode it reports 2 fixable problems, showing as:

Step 6  Creating IP and DNS certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is 10.252.39.10
PROBLEM: The KMO SSL certificate has expired.
--> The KMO SSL CertificateIP's IP address is 10.252.39.10.0=.DTH.
----> The IP addresses match.
--> Run in Fixing mode to correct this problem(s).
--> Number of Server DNS names for the IP address 10.252.39.10 = 1
--> The server's default DNS name is:
mpd2.tuht.scot.nhs.uk
PROBLEM: The KMO SSL certificateDNS's DNS has expired.
--> The KMO SSL CertificateDNS's DNS name is mpd2.tuht.scot.nhs.uk.0=DTH.
----> The DNS names match.
--> Run in Fixing mode to correct this problem(s).
Step 6 succeeded



Running again, coming into Fix mode this time (in pkidiag, keying, 4, 5,
6, 0 as per Novell TID 3209228)

Step 6  Creating IP and DNS certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is 10.252.39.10
PROBLEM: The KMO SSL certificate has expired.
--> The KMO SSL CertificateIP's IP address is 10.252.39.10.0=.DTH.
----> The IP addresses match.
Step 6 failed -603.


Any further ideas?

Thanks, Pete.
--
Peter Clinch                    Medical Physics IT Officer
Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
net p.j.clinch@dundee.ac.uk     http://www.dundee.ac.uk/~pjclinch/

[ Post a follow-up to this message ]

On Mar 27, 10:37 am, Peter Clinch <p.j.cli...@dundee.ac.uk> wrote:
> martins_uk wrote: 
>
> Borrowed the top level Admin account to run PKIDIAG, but still no joy :-(
>
> In diagnostic mode it reports 2 fixable problems, showing as:
>
> Step 6  Creating IP and DNS certificates if necessary.
> --> Number of Server IP addresses = 1
> --> The default IP address is 10.252.39.10
> PROBLEM: The KMO SSL certificate has expired.
> --> The KMO SSL CertificateIP's IP address is 10.252.39.10.0=.DTH.
> ----> The IP addresses match.
> --> Run in Fixing mode to correct this problem(s).
> --> Number of Server DNS names for the IP address 10.252.39.10 = 1
> --> The server's default DNS name is:
>       mpd2.tuht.scot.nhs.uk
> PROBLEM: The KMO SSL certificateDNS's DNS has expired.
> --> The KMO SSL CertificateDNS's DNS name is mpd2.tuht.scot.nhs.uk.0=DTH.
> ----> The DNS names match.
> --> Run in Fixing mode to correct this problem(s).
> Step 6 succeeded
>
> Running again, coming into Fix mode this time (in pkidiag, keying, 4, 5,
> 6, 0 as per Novell TID 3209228)
>
> Step 6  Creating IP and DNS certificates if necessary.
> --> Number of Server IP addresses = 1
> --> The default IP address is 10.252.39.10
> PROBLEM: The KMO SSL certificate has expired.
> --> The KMO SSL CertificateIP's IP address is 10.252.39.10.0=.DTH.
> ----> The IP addresses match.
> Step 6 failed -603.
>
> Any further ideas?
>
> Thanks, Pete.
> --
> Peter Clinch                    Medical Physics IT Officer
> Tel 44 1382 660111 ext. 33637   Univ. of Dundee, Ninewells Hospital
> Fax 44 1382 640177              Dundee DD1 9SY Scotland UK
> net p.j.cli...@dundee.ac.uk    http://www.dundee.ac.uk/~pjclinch/

Pete,

Does sys:\etc\certserv\repair.log give any more info? Did any of the
earlier steps fail or show errors?

Martin

[ Post a follow-up to this message ]