SSL Error connecting to iFolder

  • 7004525
  • 17-Apr-2012
  • 26-Apr-2012


Novell iFolder 3.8
Novell iFolder 3.7
Novell iFolder 3.6


Error:  Peer reports failure of signature verification or key exchange.
Error: (Error code: ssl_error_decrypt_error_alert)
The OES Server certificates expired, however, after recreating them, iFolder server continued to give a certificate error. 


The CA itself appeared to be corrupt, there are two possible solutions:

A. Fix the eDirectory CA on the server (a call into Novell Technical Services can help with this)


B. Create a new CA, on Linux itself, generate, and self-sign certificates, then use these with Apache.  I have outlined these steps below.  NOTE:  This works, and will make iFolder work again as well, however, if your eDirectory CA is messed up, it is recommended to have that fixed to prevent other problems in the future.   Here are the steps:

openssl genrsa -aes256 -out ifolderca.key 4096
openssl req -new -x509 -days 3650 -key ifolderca.key -out ca.crt

Generate the private key for your server
openssl genrsa -aes256 -out ifoldercert.key 4096

Create a CSR (certificate signing request) to get signed by the CA
openssl req -new -key ifoldercert.key -out ifoldercert.csr

Sign your csr with the key you made in the first step
openssl x509 -req -days 3650 -in ifoldercert.csr -CA ca.crt -CAkey ifolderca.key -set_serial 01 -out ifoldercert.crt

Remove the password from your key to prevent having to enter the password every time Apache is started
openssl rsa -in ifoldercert.key -out ifoldercert.key.nopass

Modify the vhost-ssl.conf Apache config file (/etc/apache2/vhost.d/vhost-ssl.conf)

SSLCertificateFile    <path to certificate file>/ifoldercert.crt      
SSLCertificateKeyFile <path to certificate file>/ifoldercert.key.nopass

NOTE: There are many different web sites that discuss this process.  The steps contained here were from a blog posted here: