bstich
asked on
Error on Domino console "Error location Domino Directory entry for certifier"
This error is showing up constantly in our Notes console:
"Error locating a Domino Directory entry for certifier /OU=VCR/O=StarShipping: Entry not found in index"
The server is working normally otherwise, but we'd like to get rid of this error. Any suggestions? Note that we recently upgraded the server to version 8.5.x and we also did have a case a while back where a local address book was replicated with a server ab (but we fixed that).
Similar issue to this, but the links in this case are no longer working:
https://www.experts-exchange.com/questions/21391389/Error-locating-a-Domino-Directory-entry-for-certifier-O-XXXXX-Entry-not-found-in-index.html
"Error locating a Domino Directory entry for certifier /OU=VCR/O=StarShipping: Entry not found in index"
The server is working normally otherwise, but we'd like to get rid of this error. Any suggestions? Note that we recently upgraded the server to version 8.5.x and we also did have a case a while back where a local address book was replicated with a server ab (but we fixed that).
Similar issue to this, but the links in this case are no longer working:
https://www.experts-exchange.com/questions/21391389/Error-locating-a-Domino-Directory-entry-for-certifier-O-XXXXX-Entry-not-found-in-index.html
Hi there bstich,,,
Firstly, let me suggest that you make a "new replica" from the N&A-book of the HUB ( Administration ) server or any other server to this ( Defective ) server then check .
Secondly,,, I would suggest that you have the time to have a look at some similar cases on IBM site.
http://www-10.lotus.com/ldd/nd6forum.nsf/Search?SearchView&Query=certifier%20and%20%22entry%20n%3Ft%20found%20in%20index%22&SearchOrder=0&Start=1&Count=100
http://www-01.ibm.com/support/search.wss?rs=475&tc=SSKTWP%2BSSKTMJ&q=certifier+and+%22Entry+not+found+in+index%22&Go.x=9&Go.y=11&dtm&dc=DB550+D100+D600+D700+DB520+D800+D900+DA900+DA800+DB540+DB400+DB530+DA600+DB510+DB500
Best Wishes
Firstly, let me suggest that you make a "new replica" from the N&A-book of the HUB ( Administration ) server or any other server to this ( Defective ) server then check .
Secondly,,, I would suggest that you have the time to have a look at some similar cases on IBM site.
http://www-10.lotus.com/ldd/nd6forum.nsf/Search?SearchView&Query=certifier%20and%20%22entry%20n%3Ft%20found%20in%20index%22&SearchOrder=0&Start=1&Count=100
http://www-01.ibm.com/support/search.wss?rs=475&tc=SSKTWP%2BSSKTMJ&q=certifier+and+%22Entry+not+found+in+index%22&Go.x=9&Go.y=11&dtm&dc=DB550+D100+D600+D700+DB520+D800+D900+DA900+DA800+DB540+DB400+DB530+DA600+DB510+DB500
Best Wishes
ASKER
I have recertified the certifier with the master (Organization) certifier. I have checked that the Certifier is in the AB (and it is) and made sure that the certifier public key is correct (it is). I have ran updall and fixup on names.nsf. Still, the error shows up.
Recertification did not solve your problem because the error is shown when the server encounters a certificate signed by the old certifier. And so you have two choices:
1. Recertify all certificates that where signed by the old certifier and resign every bit of data signed by those certificates.
2. Restore the old certificate, and copy it's public key into the document in the Domino directory.
1. Recertify all certificates that where signed by the old certifier and resign every bit of data signed by those certificates.
2. Restore the old certificate, and copy it's public key into the document in the Domino directory.
ASKER
Thank you
1. It was my assumption (perhaps wrong) that all certificates were signed with the proper/up-to-date certifier. How do I find which certificates were signed with an old certifier?
1. It was my assumption (perhaps wrong) that all certificates were signed with the proper/up-to-date certifier. How do I find which certificates were signed with an old certifier?
You'd have to find all old IDs, There is technote about certificate rollover using CA, I can get you a url on Thursday or you'll have to search yourself if urgent.
ASKER
We don't have that many users. Would re-certifying all of our current users with the correct ID solve the problem?
Yes
Oops, sorry, forgot to include link... here it is:
Certificate authority key rollover
see also
User and server key rollover
Oops, sorry, forgot to include link... here it is:
Certificate authority key rollover
see also
User and server key rollover
Note however, that old signatures, as present all over your Notes/Domino documents, might still trigger the error message on the server. That is why misplacing a certificate is something you should REALLY avoid.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have to abandon this b/c of other priorities and we have a workaround (as stated above).
Other seemingly relevant pages:
- https://www.experts-exchange.com/questions/21154610/Error-locating-a-Domino-Directory-entry-for-certifier-OU-abc-O-xyz-Entry-not-found-in-index.html
- http://forum.dominoarea.org/viewtopic.php?t=9882&sid=a7710cc162da7ca0dd932ecf7dbef062
Translation of the last part of the last page:
"In fact, the entry to the certifier did not or no longerexist. So I recreated it but apparently, that was not enough as it is also necessary to copy into this document the public key of the certifier (you can copy / paste information from the ID-file).
Once this condition was fulfilled, the messages have disappeared."