• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6273
  • Last Modified:

Server Certificate expired - can't log in!!!

I just got responsible for a Lotus server. The guy before me sadly past away.
Now I can't log in, because his certificate has expired; he was the admin of the server and there is no one else.

I got a couple of .id files, all expired, can I in any way tamper these to allow me to log in as administrator?
I know the password of the old admins account.

THIS IS REALLY URGENT!!!
0
jansjobe
Asked:
jansjobe
  • 10
  • 8
  • 2
2 Solutions
 
Sjef BosmanGroupware ConsultantCommented:
Tampering with id-files is not possible. Notes and Domino do have a very tight security.

There are 2 types of id-files: the certifier id, and all the rest: server-id, admin-id, user-id (they are basically the same). To (re-)certify an id-file, you NEED to have the certifier id-file (cert.id) and you NEED to know the password. If you don't have them both, you're in big trouble. You find that the password to the cert.id file is the same as the password to the admin.id file, but that's not always the case.

What id's are expired? Server-id?, Admin-id? Your id? Are there any valid id's left?

I assume you're on a Windows server (any version). It would then be possible to recertify id's from the server's environment but running as local user, on the server itself. What environment do you have: hardware, O/S, Notes and Domino versions, etc.?
0
 
jansjobeAuthor Commented:

This Lotus server is only used as a database for a web server, and it is still running OK. But now I have to update a lot of data and cannot get in...

I have the cert.id but I don't know the password...
There is also
server.id (expired)
dolcert.id (old, never touched since 2000)
SAFE.ID (don't know)
and last a user id for the previous admin, wich I know the password for.

No valid id's seems to be left...

As I understand it, the cert.id is the one to go for here, but how? And if I can find out the password; what do I do with this file?
Can I make a new user (myself) and give me full permission to everything? How?

I am very new to Lotus, and need all the help I can get!!!

Best Regards,
Jan
0
 
Sjef BosmanGroupware ConsultantCommented:
I understand all your question, but I must say that there is little hope when you don't know the passwords. Decrypting an id-file isn't possible without a password. Important are:
- cert.id (required when (re)certifying users) and password
- server.id

If you have those 3 items (2 id's and password), AND you have access to the server, AND the server is a Windows system, you might be able to fix it.

It is (or used to be) possible to log in in the server's data directory as a user. The Domino-server should be stopped, and then you can start nlnotes from the server's data directory, using the server's id. When that works, you can try to get your server.id file recertified. But you NEED the password for the certifier id.

Still, you didn't answer the questions from my previous post.

You might be better off if set up a new server with the same name but on a separate system, and you try to copy the website database to that new server's data directory. However, if the databases were sufficiently protected, you won't get access. Also, you need to create user-id's for the users you had.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jansjobeAuthor Commented:
It is a windows machine with XP Pro SP2.
Notes 6.5.1
Domino also 6.5.1 (???)
Does hardware really matter? Celeron 1.2GHz, 512 RAM

How can I get access locally?

A new server is no option at this time...

And there was no users exept the admin.

As I understand there is a console; can I use this ?
0
 
jansjobeAuthor Commented:
YES!!!
I found out the password for the cert.id !!!!
The former admin did not have a lot of imagination...

And the server.id does not seem to have a password?!?? I can open it in "Configuration->ID Properties" without entering anything.

What do I do now? I need a really thorough explanation!

Best regards,
Jan
0
 
Sjef BosmanGroupware ConsultantCommented:
Well done!! Ehm, it's 19:00 over here, dinner time.

Maybe I'll be back later today...
0
 
SysExpertCommented:
Look up how to certify an ID in the Notes Administrative Client - Help.

see
Recertifying a certifier ID or a user ID  

I hope this helps !
0
 
jansjobeAuthor Commented:
Sorry, but I can't even log in, there is no user at this time with valid certificate...
0
 
Sjef BosmanGroupware ConsultantCommented:
You might be able to log in as a "user" using the server.id file in the Domino-server's environment. Stop Domino, then start Notes from the data directory, select a different id-file (server.id) and tell us what happens.

Most likely outcome: it refuses...

But if it works, you're in on you local system. DON'T try to access the Domino server, 1) it is stopped and must stay like that while you're busy, and 2) YOU are the Domino server at the moment.
0
 
jansjobeAuthor Commented:
"Notes from the data directory", exactly how do I do this? Start the Notes Client and select this directory? Or double click some file in the data directory?
And how do I stop the Domino server? "Exit" or something in the open server (dos-like) window?

As I said, I am VERY new to Lotus!
0
 
jansjobeAuthor Commented:
I must add that this server is always online and I must keep the downtime to a MINIMUM!
0
 
Sjef BosmanGroupware ConsultantCommented:
Indeed, you go into the program directory on the server and you doubleclick on notes.exe. I think it's not necessary that you have to be in the data directory.

To stop the Domino server you type "Quit" on the console (DOS-like indeed).
0
 
Sjef BosmanGroupware ConsultantCommented:
jansjobe,
> I must keep the downtime to a MINIMUM!
Then do this when there are practically no users (early in the morning or in the evening). How many visitors per day do you have?
0
 
jansjobeAuthor Commented:
Good question; is this something I can see in Domino somewhere?
0
 
SysExpertCommented:
WIth the administrator client you should be able to see that info. Once you can log in.

You are in a Chicken and egg situation, you can not recertify until you log on, but you can not log on until you have a valid ID and certificate.

Unless you are able to log on as the Server using the Server ID, ( doubtful in R 6.5 ), then you may have to start from scratch and recreate the Server.

Is there a Noes client installed somewhere ?  Do you even have the Noets client software or CD ?

The client is normally NOT installed on the server machine.

I hope this helps !
0
 
jansjobeAuthor Commented:
I am now very tired. This is not good. Not good at all.
I tried to shut down, open local, certify both server.id and admin.id, and it seemed to work.

Now when I try to run Domino Admininstrator (on the server) I get:
Server error: Requesting system's ID is the same as the servers ID. You can not use the same ID on two systems.
When I try to log in from a client with the old admins id, it's the same: expired...

HELP!!!!!!!!!!!!

Also found:

http://www.ibm.com/support/docview.wss?rs=899&context=SW710&context=SW760&context=SW870&context=SWA40&context=SWA50&context=SWAZ0&context=SWB20&context=SWB40&context=SWCZ0&context=SWD10&context=SWD20&context=SWDZ0&context=SWH30&context=SWL40&dc=DB510&dc=DB520&dc=D800&dc=D900&dc=DA900&dc=DA800&dc=DB530&dc=DA600&dc=D600&dc=D700&dc=DA500&dc=D200&dc=DA410&dc=DA450&dc=DA430&dc=DA440&dc=DB540&dc=DB400&dc=DA420&dc=DA460&dc=DB300&dc=DA470&dc=DA480&dc=DB100&dc=DA4A10&dc=DA4A20&dc=DA700&dc=DA4A30&dc=DB550&dc=D100&q1=recertify+server+id&uid=swg21084795&loc=en_US&cs=UTF-8&lang=all

but I don't understand it all.

Could you giva me a
1.
2.
3.
list to do everything.

Please????



0
 
jansjobeAuthor Commented:
Stupid me. I forgot to copy the recertified id to my client: NOW I CAN LOG IN REMOTELY!!!!!

Now I need help to create myself as a user with full rights,
fix the thing at the server,
and check that everything is alright.


More questions:

It is only one file (.nsf) that is important. If I make a new install on a new machine, can I just copy this file to that server?

Is it possible to export the data from this file to some other format? SQL maybe. My employer is considering another solution for the database.
0
 
Sjef BosmanGroupware ConsultantCommented:
Hey! Well done!

About you last post:
1. isn't the admin user a user with full rights?
2. if you install a new environment (server and client) with exactly the same name as the old one, you might succeed. I'd say 80%
3. export is possible, but it ain't as easy as you think: no SQL (standard, requires additional product), and it depends heavily on the structure of the database. One form and a few views are probably easy, but many forms and a complex document structure might take a long time.

Your server may serve you a long time when you fixed it all. The certificates should never have expired with the proper management, and documentation. See to it that you do a better job! :)
0
 
jansjobeAuthor Commented:
Thanks guys!
Always get my things solved here!

Jan
0
 
Sjef BosmanGroupware ConsultantCommented:
You're welcome!

Next time, be a sport, and give an A... Or tell us why you're not completely satisfied.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 10
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now