How to renew server certificates with iPrint Appliance 1.x, 2.x, 3.x, 4.x

  • 7016720
  • 30-Jul-2015
  • 17-Aug-2021

Environment

Micro Focus iPrint Appliance 4.x
Micro Focus iPrint Appliance 3.x
Novell iPrint Appliance 2.x
Novell iPrint Appliance 1.x

Situation

Unable to manage iPrint Appliance 4.x, 3.x, 2.x, or 1.x services using iManager due to certificates expiring.  Certificates expire 2 years after the installation of the Appliance server.

Resolution

iPrint Appliance 3.x and 4.x
Third party cert:
If a third party certificate (external certificate) is being used, run the following string of commands within a terminal session (putty or other tool):
rcndsd restart;sh /opt/novell/iprintmobile/bin/certman.sh -t edir -r
Default self-signed cert:
If the default self-signed certificate is being used, or if the above string of commands didn't resolve the problem within the 3rd party certificate situation, then follow these steps.  However, note that if the server is configured with a 3rd party cert, following the steps below will configure the server to use a self-signed cert for eDir, Apache, and Jetty.  The 3rd party certificate will need to be applied again after running the regenerateCert.sh script.
  1. Ensure the iPrint Appliance server has the ability to access the Internet.
  2. Paste this command into a terminal session (such as putty) while logged in as root:
wget -P /tmp https://support.microfocus.com/kb/knova/images/regenerateCert.sh;chmod +x /tmp/regenerateCert.sh;/tmp/regenerateCert.sh;rcndsd restart
iPrint Appliance 2.x
While logged into a terminal session as root, run the following command:
sh certman.sh -t edir -r

If the above commands don't resolve the problem, then run the following string of commands:

rcndsd restart;sh certman.sh -t edir -r

Cause

There are 3 places certificates are stored and used:
  • eDir
  • Apache
  • Jetty
Edir cert
eDir certs are used for internal LDAP communication, for example, when you manage an iPrint object in iManager or SSL printer needs to authenticate a user
Apache cert
Apache certs are stored in /etc/ssl or wherever iprint_g.conf points. These certs are uses for apache external communication with browsers, for example, when you want to log into iManager or when you access the /psmstatus page
Jetty (keystore) cert
Jetty certs are stored in the keystore and used for external communication between browse and web console, for example the iPrint Management Console (:9443 tool) or the iPrint portal (https://print01.tho.local.mbii.com/print)
  • When the default self-signed cert is used, all of the above use the same certificate.
  • When a third party cert is applied, the Apache and Jetty certificates are replaced. But the eDir certs will remain the self-signed cert.
RPC 500 Error
An RPC 500 Error will be returned within the iPrint Appliance Management Console when attempting to list printers and the Printer Portal list of printers will be blank if the Apache and Jetty certs are different, expired, or corrupt. 
RPC 401 Error
An RPC 401 Error will be returned in that same situation and also a blank list of printers will be returned within the Printer Portal page if the eDir cert is expired or bad. This RPC 401 Error is returned because the eDir certs are used for the internal LDAP communication. The Web console will communicate with ipsmd thru LDAP (the LDAP server specified within the /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf file). If this LDAP server is not reachable due to an eDir cert problem, the RPC 401 error will be returned in the Management Console and managing iPrint via iManager will result in the 401 error.

Additional Information

If the above commands return an error or do not resolve the issue, try:
rcndsd restart;chmod 775 /opt/novell/iprintmobile/bin/certman.sh;/opt/novell/iprintmobile/bin/certman.sh -t edir -r;rcapache2 restart;rcnovell-iprint-mobile restart;rcnovell-ipsmd restart