After importing CA to a second server with different %ZENWORKS_HOME% location, or CA role server is unavailable, all new server installs have invalid certificates

  • Document ID:7004592
  • Creation Date:02-Oct-2009
  • Modified Date:27-Apr-2012
    • Micro Focus Products:
      ZENworks Configuration Management

Environment

Novell ZENworks 10 Configuration Management

Situation

  1. After using zman cae  to export the CA role from a ZCM Windows server, then using zman cai to import it onto a second ZCM Windows server, if the second server's %ZENWORKS_HOME% path location is not the same as the first server's, the CSR functionality for the new CA role server fails. 
  2. Additionally, if closest server rules are set to disallow the CA Role server from being contacted, the CSR functionality for the existing CA role server fails.
  3. If the CA role server is pingable but unavailable (services not running properly) for some reason, the CSR functionality for the existing CA role server fails.
 
All subsequent server installs will have server certificates that don't chain to the trusted CA server.
 
This has no impact on the trust for servers that are already installed.
 
Causes for above:
  1. zman cai does not set a proper caConfig.xml path based on the destination server's %ZENWORK_HOME%
  2. CA Role server is currently excluded as part of closest server configuration capabilities.
  3. It's possible that the CA service is not functioning correctly or the web service is in a failed state, db down etc. during installs and the CA will not sign.
 

Resolution

Workarounds:

 
On the new CA role server:
 
  1. Follow the Restore Certificate Authority instructions in the documentation
    https://www.novell.com/documentation/zcm10/zcm10_system_admin/data/b83mp7e.html
    Restart the ZENworks services on that server.
    If no servers were installed subsequent to the change take no further action.
  2.  Ensure that the default closest server rule is not excluded, or that the CA Role server is included in the closest server rules.
  3.  Ensure that the services on the CA Role server are running properly.
 When the underlying cause has been fixed, if servers were installed subsequent to the problem, they can be reinstalled.

Additional Information

Errors from server installs after the problem:
 
WARNING
Unable to sign the csr. This means that this server will continue to use a self-signed certificate.
Unexpected error: An unexpected error occurred during the CSR signing request
 
Errors from managed agents communicating to the servers installed after the CSR failure:
 
[ZenworksWindowsService] [8] [] [ZenCertificatePolicy] [ZMD.CertificateChainError] [Error in the TLS certificate chain. Message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider..] [] []
[ConnectMan-ping] [] [The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.] [] []
[ZenworksWindowsService] [8] [] [ConnectMan-ping] [] [   at System.Net.HttpWebRequest.GetResponse()
[ConnectMan] [] [Marking location 10.10.10.10 Bad at the request of module ZoneConfiguration]
 
Note:  In this scenario, clients do not have problems communicating to any servers that were installed before the CA change.  No action needs to be taken on those servers.