iMonitor login page does not show

  • 7015600
  • 27-Aug-2014
  • 02-Sep-2014


NetIQ eDirectory


Server was built 2+ years ago.  At that time, iMonitor worked as expected.  Recently, admins notice no page is displayed when going to the secure iMonitor page (https://fqdn_of_server:8030).  There is only an error that the "connection was interrupted".

Further, in checking the url via curl, and error was returned:
user1@server01:/home/user1> curl -k
curl: (35) Unknown SSL protocol error in connection to


  1. Regenerate default certificates (in iManager)
  2. restart iMonitor via
       ndstrace -c "unload imon"
       ndstrace -c "load imon"


The default server certificates -- SSL CertificateDNS - server01.SERVERS.ENT and SSL CertificateIP - server01.SERVERS.ENT -- had expired.  Therefore a secure connection over port 8030 was not possible.

Additional Information

As the server had been up over 600 days, we even tried restarting the entire host (not just ndsd).  When that did not work, a closer look at /var/opt/novell/eDirectory/log/PKIHealth.log showed that the certificates had expired 2 years prior.  Further, the ability for PKI Health Check to fix any expired certificates was disabled:

Step 6  Create Default Certificates
   Server Self-Provisioning is NOT enabled, so we cannot create certificates.
Step 6 succeeded.

Some other helpful hints are to:
  1. Review the PKIHealth.log file after every server, ndsd or PKI restart.
  2. Enable server self-provisioning on the CA object
    The capability to replace the default certificates is in the PKI code, however a CA administrator must enable Server Self-Provisioning (i.e. the capability is not enabled by default). To enable Server Self-Provisioning, use iManager and administer the CA object.
    Note: If enabled, the PKI Health code will replace the certificates if the certificates have expired or if they are about to expire (approx 60 days).