SSL Server Certificate tab error

DCIM_Support · ‎2020-07-03

I am running DCE 7.4.1 and I just loaded a fresh 7.3.1 OVA, then restored a backup config file and then updated the server to 7.4.1.

So now when I click on the SSL Server Certificate tab I get the following error:

An Error has occurred. See error log for more details. Comparison method violated its general contract!

scan_2017060904115200.pdf Here is the error log.

The big error I see is:

Python version mismatch, expected '2.6.5', found '2.6.6'.

Also the in the SSL Server Certificate tab I do not see the View, Add, and Remove buttons on the right.

DCIM_Support · ‎2020-07-03

Hi John Smith,

I apologize for my previous misconception: I just confused the SSL certificate of the DCE-server with the keystore of custom SSL certificates of other devices, that are stored in the DCE-server. Most likely your SSL Server Certificate tab error is related to the incorrect content of one or more SSL certificates in the above specified keystore.

Therefore, you first need to deploy a clean VM DCE-server. Then, in the available backup copy of the DCE-server (full or configuration) from the nbcServer.tar archive file, you must delete file in the path /etc/nbc/.keystore.

This is very easy to do with, for example, 7-zip software. After that, you can try to deploy a modified backup copy and check the DCE-server. After that you can again try to import in DCE-server your custom Certified Cert SSL-certificate.

Always glad to help.

See Answer In Context

DCIM_Support · ‎2020-07-03

Hi John Smith,

It's very strange, I've never seen such a mistake in DCE-server. Can you show a screenshot of the SSL Server Certificate tab?

Did this error appear only after upgrading to version DCE-7.4.1? I correctly understood?

With respect.

DCIM_Support · ‎2020-07-03

scan_2017060904451200 - Copy.pdf

When I click on the Tab I get "Could Not Accept Changes. The Currently displayed page contains invalid values."

Then it loads the blank page...

I am not sure if it happened before I upgraded it. I do know that I had to reload the ova and upgrade it several times because when I tried to change the self signed certificate in the server tab with a Certified Cert the whole DCE crashed... and I had to reload it again. My backup file is version 7.3.1 so that is why I have to use that OVA to deploy the VM and then upgrade it to 7.4.1.

DCIM_Support · ‎2020-07-03

Judging from the severity of the problem DCE-server, but personally, I would re-deploy VM DCE-7.3.1 and re-execute all the necessary steps sequentially. At the same time, at every step I would have paid attention to whether the above mentioned problem with the SSL Server Certificate tab appeared again or not.

It seems to me that you will spend much less time and effort. In addition, it is very possible that the proposed solution is the only possible for you.

Please let me know how you solve this problem.

With respect.

DCIM_Support · ‎2020-07-03

Hi John Smith,

Tell me, please, have you solved the problem or not?

With respect.

DCIM_Support · ‎2020-07-03

Not yet. I am going to try and deploy the 7.4.1 OVA since the backup file I have now is a 7.4.1 backup. I did a full and config backup.

Hopefully that will fix it...

Regards,

J

DCIM_Support · ‎2020-07-03

This has not been fixed...

I deployed the 7.4.1 OVA and the SSL tab worked fine. I then tried restoring a Full backup and the error returned. I tried restoring a Configuration tab and the error also returned...

I do not want to rediscover the devices as I have over 2500+ devices...

I did take a snapshot in there of the deployed and configured VM.

This is really frustrating!

DCIM_Support · ‎2020-07-03

Hi John Smith,

I apologize for my previous misconception: I just confused the SSL certificate of the DCE-server with the keystore of custom SSL certificates of other devices, that are stored in the DCE-server. Most likely your SSL Server Certificate tab error is related to the incorrect content of one or more SSL certificates in the above specified keystore.

Therefore, you first need to deploy a clean VM DCE-server. Then, in the available backup copy of the DCE-server (full or configuration) from the nbcServer.tar archive file, you must delete file in the path /etc/nbc/.keystore.

This is very easy to do with, for example, 7-zip software. After that, you can try to deploy a modified backup copy and check the DCE-server. After that you can again try to import in DCE-server your custom Certified Cert SSL-certificate.

Always glad to help.

DCIM_Support · ‎2020-07-03

I tried deleting those files and restoring the backup with no luck. I think I am going to have to just rebuild the folder structure and re-discover the devices when I get some time.

I am still getting the same error with the same results. For your records I did not re-deploy a new OVA, I restored back to the snapshot after a fresh redeployment. Before restoring the backup file I did go in and make sure the SSL tab was working correctly, and it was.

I have redeployed the OVA so many times I just created a snapshot with the license keys, backup location and remote storage drive settings.

Thanks for working on this with me. Any other suggestions I am open too. The only error I seem to see in the logs is the python version mismatch shown in my original post.

Regards,

J

DCIM_Support · ‎2020-07-03

Hi John Smith,

Sorry for my previous misconception, please try my solution above again: I made corrections.

The community and I will be very grateful for your feedback 😀.

DCIM_Support · ‎2020-07-03

Thank you! Thank You! That fixed it! As expected the SSL tab is now empty since the keystore was deleted.

So no good deed goes unpunished: My question now is, how will this affect devices which did have SSL certificates in there? Will I need to rediscover them? or are they just used when double clicking them and logging into them?

DCIM_Support · ‎2020-07-03

Right now it seems all the Netbotz were showing loss of communication. When looking in the DCE tab in advanced view they were not registered to the DCE server anymore.

I am going in and changing them to Post Only mode and the communications comes back.

Still checking for other devices.

DCIM_Support · ‎2020-07-03

I was able to go in and rediscover the netbotz, even though it was already "discovered" but throwing a loss of communication alarm.

After a few minutes DCE started talking to the device again. I believe it added the SSL cert.

DCIM_Support · ‎2020-07-03

Hi John Smith,

An SSL certificate is required only, if communication with the NetBotz appliance is performed using an encrypted protocol (HTTPS, 443 port). In all other cases, an SSL certificate is not needed.

P.S.: I, for example, do not use Post Only mode at all.

Post Only mode means, that communication with the DCE-server is initiated by the NetBotz appliance with a certain NetBotz periodicity. In this case, of course, you need to configure each NetBotz appliance separately. And, if there are many of them, this can be a problem.

Therefore, I prefer to use centralized DCE-server settings for all NetBotz aplliances. That is, the Post Only mode on NetBotz applianes is not configured (the list of DCE-servers is empty, as you mentioned), and the DCE-server configures the login and password for authorization on the NetBotz appliances and the frequency of their polling by the DCE-server. I.e., in this mode, the initiator of the polling is already the DCE-server, and not NetBotz appliances. It's much simpler and more reliable. That's what I've checked for five years already.

Always glad to help.

DCIM_Support · ‎2020-07-03

It's nice that my practical help helped you avoid a lot of unnecessary work 😀.

So no good deed goes unpunished: My question now is, how will this affect devices which did have SSL certificates in there? Will I need to rediscover them? or are they just used when double clicking them and logging into them?

I think it is not quite true, because according to User Assistance for StruxureWare Data Center Expert 7.4.x as indicated on page 24:

"Server SSL Certificates" display

Use this display to manage the SSL certificates on the StruxureWare Data Center Expert server used for secure communication with an SMTP server, Active Directory or OpenLDAP server, or a NetBotz Appliance.

You access this display from the Server SSL Certificates option in Server Administration Settings, a System menu option.

When you select NetBotz Appliance in the device discovery process, and select the security mode Require SSL, validate certificates option, use this display to add the certificate from the NetBotz Appliance you want to discover to the StruxureWare Data Center Expert server first. Otherwise, device discovery will not complete successfully.

Adding and removing server SSL certificates does not require the StruxureWare Data Center Expert server to reboot.

Always glad to help.

DCIM_Support · ‎2020-07-03

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.