Environment
Novell ZENworks Configuration Management 11.4 Certificate
Remint
Situation
- Using Change CA process to change the ZENworks Certificate Authority
- Changing ZENworks to use a chained or subordinate Certificate Authority
The certificate system update on the Primary Server could fail with the following message:
ERROR:
Certificate Verification Failed
The following error may be seen in the novell-zenworks-configure.log on the Primary Server:
ERROR:
[INFO] [01/20/2017 07:57:13.162] [1144] [PrimaryServerCertActivator] [1] [SERVERNAME] [ConfigureUtility] [] [Validated CA certificate, certificatefile :D:\Program Files (x86)\Novell\ZENworks\remint-repo\ca.cert] [] [] [] [ConfigureUtility]
[INFO] [01/20/2017 07:57:13.225] [1144] [CertificateValidator] [1] [SERVERNAME] [ConfigureUtility] [] [Server Cert Chain Validation: Verifying D:\Program Files (x86)\Novell\ZENworks\remint-repo\server.p7b against CA Cert :D:\Program Files (x86)\Novell\ZENworks\remint-repo\ca.cert] [] [] [] [ConfigureUtility]
[ERROR] [01/20/2017 07:57:13.240] [1144] [CertificateValidator] [1] [SERVERNAME] [ConfigureUtility] [] [Server Cert Chain Validation failed :] [java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
...
[INFO] [01/20/2017 07:57:13.615] [1144] [ActivateCertificateConfigureAction] [1] [SERVERNAME] [ConfigureUtility] [] [Updated system update status, Status=CERTIFICATE_VERIFICATION_FAILED Message=SERVER_CERTIFICATE_NOT_VALID] [] [] [] [ConfigureUtility]
Resolution
This is fixed in version ZENworks 2017 Update 2 (17.2.0) - see KB 7022513 "ZENworks Configuration Management 2017 Update 2a and 2 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7022513
- Save each certificate in the chain in it's own file in base64
format
NOTE: Opened in a text editor, this will look like the following:
-----BEGIN CERTIFICATE-----
<cert data>
-----END CERTIFICATE----- - Create a new file called server.cer
- Copy the text from each separate certificate file into the new
server.cer file
NOTE: Put the certificates in the following order:
-----BEGIN CERTIFICATE-----
<Server cert data>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<SubCA cert data>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<RootCA cert data>
-----END CERTIFICATE----- - Save this new server.cer file
- Provide this new file as the server.cer file mentioned in the Changing CA documentation