Loading...
Loading...
[VMware] root@olsannav.kba.de /opt/sannav/Portal_2.4.0_bld249/bin # sh ./replace-sannav-certificates.shEnter the path for the chained CA certificate including the file name (If you have an intermediate certificate chain the same with root and provide the path including file name.) : /tmp/ca-chain.crtEnter the path for the private key including the file name : /tmp/olsannav.kba.de.keyEnter the password for private key (/tmp/olsannav.kba.de.key). If the private key is not password protected, press Enter :Enter the path for the SSL certificate to be installed on olsannav.kba.de including the file name. Ensure that the Common Name of the certificate matches the FQDN of the host olsannav.kba.de. /tmp/olsannav.kba.de.crt No extensions in certificateSuccessfully validated the certificate and the private key. Stopping the SANnav Management Portal server to apply the certificates. Stopped the SANnav Management Portal server to apply the certificates. Starting SANnav Management Portal services. Services have been started. Waiting and checking for SANnav server to be ready. This may take a few minutes. [|] Some services are still not up. Run the script (/opt/sannav/Portal_2.4.0_bld249/bin/check-sannav-status.sh) to check SANnav startup status. If all services are not up after an additional 15 minutes, run the troubleshooting script (/opt/sannav/Portal_2.4.0_bld249/bin/troubleshooting-sannav.sh) to resolve any reported issues and restart SANnav. Docker container for the proxy service shows the following error: /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh /docker-entrypoint.sh: Configuration complete; ready for start up2025/05/30 11:43:59 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1 nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:12025/05/30 11:43:59 [emerg] 1#1: SSL_CTX_use_PrivateKey("/etc/nginx/sannav-cert.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/nginx/sannav-cert.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) Verified the Common name (CN) of CA certificate and SANnav server signed certificate are the same: openssl x509 -in /tmp/olsannav.kba.de.crt -noout -subject subject=O=KBA, OU=146-SSL-Server, OU=SAN, CN=olsannav.kba.de[VMware ] root@olsannav.kba.de /opt/sannav # hostname olsannav.kba.de Also verified the certificates: # openssl rsa -noout -modulus -in olsannav.kba.de.key | openssl md5 MD5(stdin)= 3de4b148f281980ec2e9ad827b7ca257# openssl x509 -noout -modulus -in olsannav.kba.de.crt | openssl md5 MD5(stdin)= 3de4b148f281980ec2e9ad827b7ca257# openssl verify -CAfile /tmp/ca-chain.crt /tmp/olsannav.kba.de.crt /tmp/olsannav.kba.de.crt: OK
The errors suggest that the key may have an incorrect value or have been password protected at some point. In this case, the certificate was in the wrong format.
Convert the certificate from DER to PEM format and follow the instructions below to start proxy service. Launch the Linux console to the SANnav server. Go to the location <SANnav_Home>/conf/nginx and take the backup of the file sannav-cert.pem and sannav-cert.Key and move it outside of the SANnav home location. Validate the original certificate and keys: These two commands print md5 checksums of the certificate and key; the checksums can be compared to verify the certificate and key match: openssl x509 -noout -modulus -in server.pem | openssl md5openssl rsa -noout -modulus -in server.key | openssl md5 Verify the certificate chain: openssl verify -CAfile chain.pem server.pem Validate key: openssl rsa -check -noout -in server.key Check certificate and return information about it (signing authority, expiration date, so on): openssl x509 -in server.pem -noout -text openssl x509 -in chain.pem -noout -text Copy the correct certificate and chain to the location <SANnav_Home>/conf/nginx In <~location original certificates received from the CA> do: cat <server_cert.pem> <chained_cert.pem> >> sannav-cert.pemcat <server_key.key> >> sannav-cert.key Copy <~location original key>/sannav-cert.key <SANnav_Home>/conf/nginx/sannav-cert.key Copy <~location original pem>/sannav-cert.pem <SANnav_Home>/conf/nginx/sannav-cert.pem Restart the nginx service by following the below steps: Perform the below commands to get the proxy service ID: [root@sannav4321 bin]# docker service ls | grep proxy ypaxcuueqlbb dcm_2_2_0_proxyreplicated 0/1 10.1xx.4x.8x:5000/proxy-local:sann2.2.0 Scale down the proxy service by using the below command: [root@sannav4321 bin]# docker service scale dcm_2_2_0_proxy=0 ypaxcuueqlbb scaled to 0 overall progress: 0 out of 0 tasks verify: Service converged Wait for 10-15 seconds and then Scale up the proxy service by using the below command: [root@sannav4321 bin]# docker service scale dcm_2_2_0_proxy=1 ypaxcuueqlbb scaled to 1 overall progress: 1 out of 1 tasks 1/1: running [==================================================>] verify: Service converged Confirm whether the proxy service is up and running "1/1"or not by using the below command: [root@sannav4321 bin]# docker service ls | grep proxy ypaxcuueqlbb dcm_2_2_0_proxy replicated 1/1 10.155.43.87:5000/proxy-local:sann2.2.0 [root@sannav4321 bin]# Verify the SANnav services status, whether the nginx proxy service is up and running or not by using the script check-sannav-status.sh. Run the script replace-sannav-certificates again after the proxy has started and apply the key, certificate, and chain again to apply the correct certificate to the KAFKA container. Follow the procedure from the replace-sannav-certificates script.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.