A client of mine has a 2 server NDS Tree. Both servers running OES2 sp3 on SLES 10 Linux.
NDS health checks fine - replicas fully sync'ed, time is in sync, no stuck obituaries.
Server 1 has master replica. Server 2 has read-write replica.
Server 1 holds the CA, iPrint and most services. Server 2 is primarily for NDS redundancy
Server certificates expired this week. Just using default certificates (SSL CertificateDNS and SSL CertificateIP on both servers.
Unable to administer certain services, i.e. iPrint due to invalid/expired certificate.
Deleted SSL CertificateDNS and SSL CertificateIP in iManager for Server 1 (the server running the CA).
Then ran NDSConfig upgrade on this server. It failed on the SAS object with -601 error no such attribute. NDSConfig returned error 74.
I then returned to iManager, verified no certificates had been created, and then deleted the SAS object for this server.
Re-ran NDSConfig upgrade with the same results.
CA self-signed certificate as well as organizational certificate both report as valid on Validate in iManager.
Thought about moving the CA object to Server 2 in the tree, the other server in the tree.
When trying to export the self-signed certificate of the CA, this fails with NICI error -1418 or -1411.
Consequently I cannot move the CA to the other server.
a) Any suggestions on how to resolve this issue?
b) Even though the CA certificates appear valid, the NICI errors might suggest otherwise. What are the consequences of deleting the CA? And the process of creating a new one, then recreating and associating SAS objects and new server certificates? What other services would be affected & need to be updated besides LUM (namconfig -k) ?
first on the server running the CA, in order to