Environment
Novell iFolder 3.7
Novell iFolder 3.6
Situation
Error: Peer reports failure of signature verification or key exchange.
Error: (Error code: ssl_error_decrypt_error_alert)
The OES Server certificates expired, however, after recreating them, iFolder server continued to give a certificate error.
Resolution
The CA itself appeared to be corrupt, there are two possible solutions:
A. Fix the eDirectory CA on the server (a call into Novell Technical Services can help with this)
or
B. Create a new CA, on Linux itself, generate, and self-sign certificates, then use these with Apache. I have outlined these steps below. NOTE: This works, and will make iFolder work again as well, however, if your eDirectory CA is messed up, it is recommended to have that fixed to prevent other problems in the future. Here are the steps:
openssl genrsa -aes256 -out ifolderca.key 4096
openssl req -new -x509 -days 3650 -key ifolderca.key -out ca.crt
Generate the private key for your server
openssl genrsa -aes256 -out ifoldercert.key 4096
Create a CSR (certificate signing request) to get signed by the CA
openssl req -new -key ifoldercert.key -out ifoldercert.csr
Sign your csr with the key you made in the first step
openssl x509 -req -days 3650 -in ifoldercert.csr -CA ca.crt -CAkey ifolderca.key -set_serial 01 -out ifoldercert.crt
Remove the password from your key to prevent having to enter the password every time Apache is started
openssl rsa -in ifoldercert.key -out ifoldercert.key.nopass
Modify the vhost-ssl.conf Apache config file (/etc/apache2/vhost.d/vhost-ssl.conf)
SSLCertificateFile <path to certificate file>/ifoldercert.crt
SSLCertificateKeyFile <path to certificate file>/ifoldercert.key.nopass
NOTE: There are many different web sites that discuss this process. The steps contained here were from a blog posted here:
http://www.perturb.org/display/754_Apache_self_signed_certificate_HOWTO.html