Domino 8.5.1 will not renew user certificate

dtview
dtview used Ask the Experts™
on
Dear experts,

Recently at a client's place, we had a group of users whose certificates will expire in about 4 months. So following our usual and proven to work practice, we go into Domino Admin, go to the person document, and re-certified the person. The certlog.nsf showed the user with new expiry date, and we left that behind.

The following week, client complained that those users still received the certificate expiry notification. And we noticed that in the Configuration tab, those few users were still in the soon to expire list.

We tried running adminp. Tried restarting Domino server. Didn't work. Only manual recertify (by email, then after recertifying, merge the cert at user end) works.

Can anyone shed some light on what could be wrong and where we can check?

Thank you

dtview
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
what did you do when you "tried running adminp"?  What tell command did you use?

Did you check the admin4 databsase for Administration requests which needed attention?  Has someone tried to start using a CA (Certificate Authority) but not cleaned up all the bits?

Certlog db corrupt?

ACLs changed needed for adminp? (See admin help topic: "Setting up ACLs for the Administration Process")

Has someone used "Suspending administration request processing"?

Author

Commented:
Hi larsberntrop,

Thanks for your comment. We used tell adminp process all

There was nothing in database requiring administration attention (other than the mail database deletions for those accounts we removed). We even restarted domino server. We just didn't go on to reboot the entire server. We didn't use CA at all.

ACL change - well, we didin't have acces to some of the mailboxes but I don't suppose that's a requirement. We are the full admin.

How do I know whether the certlog is corrupt or whether someone has used "Suspending administration request processing"?

Thank you,
dtview
have you tried search admin help for Suspending administration request processing?

It's in the server document.

Review the Administration tab, and from Server Tasks:Administration Process

Also review the console log file.  Watch for messages like certifier missing or the like.  Has someone moved the certifier ID needed by adminp, or reset the password for it?
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Author

Commented:
Hi larsberntrop:

I am sorry that I did not see notifications of further comment and I thought this was abandoned.

Adminp process still runs every night in the wee hours. Strange.

This was a migrated server though, the previous was Domio 6.x and we hopped into Domino 8.5 on new hardware. Our own internal mail server is also Domino 8.5 (upgraded from 7.x), my colleague tried on our own server and found the exact same behavior. But since we couldn't find anything on the web, we just gave up and chose to renew via email. This is less than ideal since a lot of end users just panic at any kind of administrative messages / emails they see, but for a small (less than 40) environment, it's still manageable.

We have a few other Domino client sites, some are 8.0.x, some "may" be 8.5.x. Not all are managed by us. We will check around and see if anyone has this kind of issue. I think for now I will just sit on it as the urgency is not really there. When there's any more clue or even conclusion, I will find a way to post back.

Thank you very much for helping

dtview
adminp should be running always, doing hourly task, daily tasks etc when needed.

another idea: does the server have enough rights to the NAB? In my domain, when I recertify a user their notes-id's are updated automatically as soon as the clients connect to the server.They get this from the person record, is that properly updated after you do a recertify? (check if the public key has been updated)
Do you have implemented Extended ACLs on the NAB? Is the server properly configured in that too?

I think it's done on the client by dynamic configuration, so if that has been turned off it doesn't work either. (search for ndynconfig to get more info about this)

Author

Commented:
larsberntrop could be right. I checked the ACL, the current server was not listed in the ACL. While the old server (the current server was added in 8 months ago) had manager right and has a "Key" over its icon.

Sorry for not revisiting for so long.  I have not been overseeing this environment for a long time and whoever took over just did manual recertify (it's a small environment and the users are quite tame).

My apologies for the very late response.

dview
The key indicates the Administration server.  Must be set!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial