Environment
Novell ZENworks 10 Configuration Management with Support Pack 3 - 10.3 Installation - Server
ZENworks Configuration Management zone is configured with internal CA
ZENworks Configuration Management zone is configured with internal CA
Situation
A install new Primary Server has self-signed certificate
Communication to new install Primary server fails.
Following error found in zcm install log
Communication to new install Primary server fails.
ERROR:
<Message><MessageID><![CDATA[0000]]></MessageID><MessageString><![CDATA[Hostname
= ie-zcm-w2k8.xentopia.home;Port = 443;Use SSL =
true]]></MessageString><Severity><![CDATA[1]]></Severity><Time><![CDATA[1272445967964]]></Time><Source><![CDATA[Unknown
Device]]></Source><ComponentName><![CDATA[Server
Install]]></ComponentName><AdditionalInfo /></Message>
<Message><MessageID><![CDATA[0000]]></MessageID><MessageString><![CDATA[Unable
to sign the csr. This means that this server will continue to use a
self-signed
certificate.]]></MessageString><Severity><![CDATA[8]]></Severity><Time><![CDATA[1272445968382]]></Time><Source><![CDATA[Unknown
Device]]></Source><ComponentName><![CDATA[Server
Install]]></ComponentName><AdditionalInfo><![CDATA[java.lang.NullPointerException
at
com.novell.zenworks.certauthority.zenca.ZENCACertSigner.signCSR(ZENCACertSigner.java:214)
at
com.novell.zenworks.configure.actions.SSLConfigureAction.configure(SSLConfigureAction.java:392)
at
com.novell.zenworks.configure.ZENworksConfigure.execConfigAction(ZENworksConfigure.java:1327)
at
com.novell.zenworks.install.customcode.configure.BaseZenConfigAction.install(BaseZenConfigAction.java:58)
at com.zerog.ia.installer.actions.CustomAction.installSelf(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.GhostDirectory.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.Installer.install(DashoA10*..)
at com.zerog.ia.installer.actions.InstallProgressAction.n(DashoA10*..)
at com.zerog.ia.installer.actions.ProgressPanelAction$1.run(DashoA10*..)
]]></AdditionalInfo></Message>
= ie-zcm-w2k8.xentopia.home;Port = 443;Use SSL =
true]]></MessageString><Severity><![CDATA[1]]></Severity><Time><![CDATA[1272445967964]]></Time><Source><![CDATA[Unknown
Device]]></Source><ComponentName><![CDATA[Server
Install]]></ComponentName><AdditionalInfo /></Message>
<Message><MessageID><![CDATA[0000]]></MessageID><MessageString><![CDATA[Unable
to sign the csr. This means that this server will continue to use a
self-signed
certificate.]]></MessageString><Severity><![CDATA[8]]></Severity><Time><![CDATA[1272445968382]]></Time><Source><![CDATA[Unknown
Device]]></Source><ComponentName><![CDATA[Server
Install]]></ComponentName><AdditionalInfo><![CDATA[java.lang.NullPointerException
at
com.novell.zenworks.certauthority.zenca.ZENCACertSigner.signCSR(ZENCACertSigner.java:214)
at
com.novell.zenworks.configure.actions.SSLConfigureAction.configure(SSLConfigureAction.java:392)
at
com.novell.zenworks.configure.ZENworksConfigure.execConfigAction(ZENworksConfigure.java:1327)
at
com.novell.zenworks.install.customcode.configure.BaseZenConfigAction.install(BaseZenConfigAction.java:58)
at com.zerog.ia.installer.actions.CustomAction.installSelf(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.GhostDirectory.install(DashoA10*..)
at com.zerog.ia.installer.InstallablePiece.install(DashoA10*..)
at com.zerog.ia.installer.Installer.install(DashoA10*..)
at com.zerog.ia.installer.actions.InstallProgressAction.n(DashoA10*..)
at com.zerog.ia.installer.actions.ProgressPanelAction$1.run(DashoA10*..)
]]></AdditionalInfo></Message>
Resolution
A fix for this issue is included in ZENworks 11, see KB 7006995 "ZENworks 11 - information and updates" which can be found at https://www.novell.com/support
WORKAROUND:
Ensure that the Primary Server hosting the internal CA is listed the closest server rule for the configuration role to avoid the issue.
To fix the Primary server certificate after fresh ZCM 10.3 install , update the primary server to ZCM 10.3.1 or newer and remint the server certificate using the novell-zenworks-configure -c SSL -z command.
WORKAROUND:
Ensure that the Primary Server hosting the internal CA is listed the closest server rule for the configuration role to avoid the issue.
To fix the Primary server certificate after fresh ZCM 10.3 install , update the primary server to ZCM 10.3.1 or newer and remint the server certificate using the novell-zenworks-configure -c SSL -z command.
Additional Information
The root cause is that the configuration role from the closet server rule gets utilized by the installer trying to find the CA server.