Environment
Novell ZENworks 10 Configuration Management with Support Pack 3 - 10.3
Situation
Linux Authentication Satellite promotion fails during CSR
ERROR (from zmd-messages.log):
[ZenHttpServer::KeyStoreUtil] [Exception :
java.lang.Exception: Unable to sign the Satellite Server's Certificate. Authenticated user or device does not have sufficient privileges to request a signed certificate
java.lang.Exception: Unable to sign the Satellite Server's Certificate. Authenticated user or device does not have sufficient privileges to request a signed certificate
[Debug] [09/30/2010 15:26:25.960] [] [1251] [ZenworksAgent] [262] [ZenHttpServer] [Exception configuring SSL for satellite server :
java.lang.Exception: An unexpected exception was encountered while configuring the Authentication Server service
java.lang.Exception: An unexpected exception was encountered while configuring the Authentication Server service
Caused by: java.lang.Exception: An unexpected error occured during configuration. The certificate signing request unexpectedly returned a null result
Resolution
Any or all of the following may help.
zac asr -t all -u Administrator -p password
or
zman rsc
zac ref
/etc/init.d/novell-zenworks-xplatzmd restart
Additional Information
Running zac command to reconfigure that satellite bypasses the token and the administrator credentials you provide are used to provide authorization to the CA service.
This error:
Unable to sign the Satellite Server's Certificate. Authenticated user or device does not have sufficient privileges to request a signed certificate
Means that the satellite was requesting that the primary sign a certificate. The primary rejected the satellite as the GUID passed in the CSR request was considered invalid.
Likely reason:
When promoting a satellite server a token with an expiration time is created and stored in the database. It is also sent to the satellite device to use with the request to the CA to sign the satellite's certificate.
If the device waits too long to refresh and start the promotion then the token will be expired and the error is seen.