Lotus Notes User's Recertified Certificate keeps expiring

AVIVOL
AVIVOL used Ask the Experts™
on
We have a staff member whose Notes ID certificate is repeatedly saying it is expiring each day.  I can recertify the certificate every morning, and for the day it works fine.  On the client I can check the expiry date after recertification for the ID and it is correct (two years remaining).  On the servers (we have three), the staff member's certificate expiry is also appearing correctly.

Today the certificate has finally expired.  Interestingly, when logging into Notes and checking the expiry date prior to opening a DB it showed that it had two years before expiry.  However as soon as I tried to open a server-based database the error "certificate expired" appeared, and subsequently checking the expiry on the client shows that it has simply expired.

I initially thought that the server is over-riding the local certificate's expiry date.  In other words, I thought recertifying the certificate would update the local ID file but not the server address book, however it is not the case.  Also, the servers appear to be replicating the certification expiry details correctly and this has been checked on all three of our servers.  Finally, as the replication occurs frequently during the day its odd that a replication problem would be the case as the error appears overnight, and not after a sheduled server replication.

I'm at a loss as to why this is occurring.  I did recreate the staff member's account to only have the old expiry issue reoccur the following day.  Hence why I believe the issue revolves around a value stuck on the server's address book in one of the replicas.

Note - I have tried recertification on both the staff member's home server as well as the Primary server for the address book.

Any advice would be great.
 

Cheers.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sjef BosmanGroupware Consultant

Commented:
No clue...

Things to check:
- do you have a (backup) copy of the modified ID-file?
- is there some procedure that refreshes the Notes databases and ID every morning? (e.g. flash USB key??)
- are the clocks of user's PC and of the server correctly set?
1.  The reason the ID first appears to be not expired and after server contact is expired is because the expiration date is updated upon server contact.  If you open the status bar, thisa will show up as Hierarchical certificates updates or something like that.
2. This means that the ID is invalidated on the server, not on the client.

Try: recertify the user. Examine the person document to see who has last updated it, and the mod datetime.  Copy the public key. The next day, without the user contacting the server, examine the person doc again, noting who has last chaned it, and at what date/time. Please report findings.  Also check server logs as to what agents are running at that time.

Also: is LEI (Lotus Enterprise Integration) used?  IS TDI (Tivoli Directory Integrator) used?  Other connections/ automation that is updating the Domino Directory?

Author

Commented:
It seems that for the first time in two weeks this problem has stopped.  I'm guessing I did something slightly different the last time round that did the trick as this morning all was fine.

@larsbertrop I think you're right.  The ID file itself wasn't expired but correctly recertified, however the server record in the address book was updated during recertification (perhaps).  Not sure why as the last recertification worked and the others did not though, and am concerned this will happen again as I've just needed to recertify another person.

However, in this new case the ID file was never recertified via the Notes process on the client; this staff member chose to wait until their certificate expired and unable to log in before raising the issue.  I've recertified the file directly and it seems correct in the address books across all servers.
Sjef BosmanGroupware Consultant

Commented:
Staff members often need a good spanking...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial