Environment
Novell iPrint Appliance 1.1 Patch 3 (version .418)
Situation
When trying to log in thru mobile apps, an "invalid credentials" error is
shown, even if the credentials are correct.
Also when accessing the renderer page on the MC console on the Appliance, there were no renderers listed, even
internal and external (windows) renderer are configured and working.
shown, even if the credentials are correct.
Also when accessing the renderer page on the MC console on the Appliance, there were no renderers listed, even
internal and external (windows) renderer are configured and working.
Resolution
Customer is using a wildcard VeriSign certificate
Configuration:
Appliance internal name: 1.domain.intern
Appliance external name: 2.domain.com
SSL Certificate: *.domain.com from VeriSign
Solution was:
1. Adjust the /etc/hosts to have domain name for external access first:
<ip> 2.domain.com 1.domain.intern
This first entry needs to match the SSL certificate name otherwise the error is present
2. Add public key of Server-Certificate, Intermediate CA and Root CA
from VeriSign as trusted to the Web certificate store.
See additional note to see how to generate the correct pfx/p12 file
Configuration:
Appliance internal name: 1.domain.intern
Appliance external name: 2.domain.com
SSL Certificate: *.domain.com from VeriSign
Solution was:
1. Adjust the /etc/hosts to have domain name for external access first:
<ip> 2.domain.com 1.domain.intern
This first entry needs to match the SSL certificate name otherwise the error is present
2. Add public key of Server-Certificate, Intermediate CA and Root CA
from VeriSign as trusted to the Web certificate store.
See additional note to see how to generate the correct pfx/p12 file
Cause
If the first entry on the /etc/hosts file does not match the SSL certificate name, connection is rejected as untrusted as the appliance only check first entry on the hosts name to validate the SSL certificate name.
The wrong configuration giving the error was:
/etc/hosts/
<ip> 1.domain.intern 2.domain.com
The wrong configuration giving the error was:
/etc/hosts/
<ip> 1.domain.intern 2.domain.com
Additional Information
How we created the PFX from a wildcard VeriSign certificate to import it into the appliance:
Command:
#openssl pkcs12 -export -out wildcard5.pfx -inkey 4-wildcard-key.pem -in 3-ssl_certificate.crt -certfile 2a-IntermediateCA-RootCA.crt
- 4-wildcard-key.pem = privat Server Key
- 3-ssl_certificate.crt = public Server Certificate
- 2a-IntermediateCA-RootCA.crt = public key of both CAs (first the
intermediate, second the root certificate)
Command:
#openssl pkcs12 -export -out wildcard5.pfx -inkey 4-wildcard-key.pem -in 3-ssl_certificate.crt -certfile 2a-IntermediateCA-RootCA.crt
- 4-wildcard-key.pem = privat Server Key
- 3-ssl_certificate.crt = public Server Certificate
- 2a-IntermediateCA-RootCA.crt = public key of both CAs (first the
intermediate, second the root certificate)