Why won't Messaging Server 6.1 start listening on its https port?
Good day folks,
I've purchased a Thawte certificate for my Messaging Server 6.1, installed it through the administration server console, then, using Messaging Server console, imported the certificate into a security database for Messaging Server. certutil shows the certificate using certutil -L -d <dir path> -P msg-config-.
I then ran chown mailsrv:mail on the certificate and key databases.
I then used configutil to set these parameters:
service.http.sslusessl : yes
service.http.enablesslport : yes
service.http.sslport : 443 (was set to this value by default)
nsserversecurity : on
encryption.rsa.nsssltoken : internal
encryption.rsa.nssslactivation : on
encryption.rsa.nssslpersonality : securecomms (a nickname of my choice)
encryption.nsssl3ciphers : rsa_rc4_40_md5 (bad choice, true, but I'll change that later)
Yet when I run "stop-msg http" then follow it up by "start-msg http", Messaging Server doesn't start listening on port 443 and naturally I can't get to my MS on https:.
Any ideas what's wrong?
Cheers,
Etienne
[1138 byte] By [
edepas] at [2007-11-26 10:37:31]
# 1
Here's an update to my first post.In Messaging Server Console, "Default Log" is showing an entry: "General Critical: HTTP SSL server is not responding". The error is being posted every 10 minutes.
# 2
Here's some more information regarding SSL-related parameters:local.ssldbpath : /var/mps/serverroot/aliaslocal.ssldbprefix : msg-config-encryption.nscertfile : ""encryption.nskeyfile : ""Location of certificate and key database :
# 3
You did edit the "sslpassword.cnf" file, to include the password you chose for the certificate database, right?
You did copy the cert*.db and key* file to the correct name/path?
You did match case on the certificate name? Server-cert is not the same as server-cert
You did look at the http log on startup for errors?
# 4
Hello Jay, nice to hear from you again...
Yes, I did edit the sslpassword.conf file to reflect the password I supplied to the wizard during creation of the database (first screen)
Regarding cert8.db and key3.db, in my case, when I imported the certificates from the Administration Server, the wizard created msg-config-cert8.db and msg-config-key3.db and placed these files under the same location as the database files belonging to Administration Server, namely /var/mps/serverroot/alias. I did not copy the files anywhere; I just modified the parameters local.ssldbpath and local.ssldbprefix. This is ok, I hope?
About certificate name: I called mine securecomms and set the parameter encryption.rsa.nssslpersonality accordingly.
The http log doesn't show any errors (it does give a "general warning" that SMIME is disabled) but the default log shows the error I described, namely "General Critical: HTTP SSL server is not responding" but gives no hints as to the cause.
I'm at a bit of a loss here....hope you can throw some light on this.
# 5
I have never seen a successful Messaging ssl setup, where the files were not in the Messaging ../config/alias directory.
Also, the name of the file may be incorrect, "msg-config-cert8.,db" may have to be renamed to bare "cert8.db". Same for the key file.
I'm very surprised you don't see anything in the http startup, I would expect to see it.
The default log is simply reporting that it can't connect to the port 443. There was a bug in 6.1, where it reported that, even if https was turned off.
It's certainly time to move off 6.1 to 6.2. Many bugs have been long fixed.
# 6
Thanks Jay, I'll try out your suggestions next Monday and post back.
# 7
Well, no joy.
This is the status of my SSL-related parameters now:
nsserversecurity=on
service.http.enablesslport=yes
service.http.sslusessl=yes
service.http.sslport=443
service.http.sslsourceurl=
encryption.rsa.nssslactivation=on
encryption.rsa.nsssltoken=internal
encryption.rsa.nssslpersonalityssl=securecomms
encryption.nsssl3ciphers=rsa_rc2_40_md5,rsa_des_sha,rsa_rc4_128_md5,rsa_3des_sh a
encryption.nscertfile=
encryption.nskeyfile=
local.ssldbpath=/opt/SUNWmsgsr/config/alias
local.ssldbprefix=
I have cert8.db, key3.db and secmod.db in directory /opt/SUNWmsgsr/config/alias.
Finally, this is an extract from the http log using tail:
[09/Oct/2006:16:30:16 +0200] aemilianus httpd[23043]: General Warning: Sun Java(tm) System Messaging Server mshttpd 6.2-3.04 (built Jul 15 2005) shutting down
[09/Oct/2006:16:30:47 +0200] aemilianus httpd[23179]: General Warning: mscertd_initialize: configuration has SMIME disabled
[09/Oct/2006:16:30:47 +0200] aemilianus httpd[23179]: General Warning: Sun Java(tm) System Messaging Server mshttpd 6.2-3.04 (built Jul 15 2005) starting up
[09/Oct/2006:16:35:00 +0200] aemilianus httpd[23179]: Account Notice: close [127.0.0.1:38708] [unauthenticated] 2006/10/9 16:35:00 0:00:00 17 217 0
Any idea why I still can't get HTTP over SSL working?
# 8
I forgot to add that the tail extract from the http log coincide with the commands stop-msg http and start-msg http
# 9
You've got me. I know 6.2 certainly works for SSL on all the proper ports. I don't see any error messages.You might want to contact Tech Support.
# 10
Well I might just do so ... but I've just had a breakthrough.
I followed your great post in: http://swforum.sun.com/jive/thread.jspa?threadID=58178&messageID=223792
Basically, I've set up a soft link in /opt/SUNWmsgsr/config to the msg-config-*.db files in /var/mps/serverroot/alias and now each time I stop-msg http + start-msg http, I get the eye-opening message:
[09/Oct/2006:18:04:49 +0200] aemilianus httpd[24032]: General Error: SSL initialization error: ASockSSL_Init: couldn't find private key for cert securecomms (-8177)
So apart from the mis-configuration which I had before following that post, I also seem to have forgotten the password, which I should remedy soon. More info as soon as a colleague sends me that password...
# 11
....I should have added that I also set up a soft link to secmod.db under /var/mps/serverroot/alias.
# 12
You may find that the softlink doesn't in fact work, even though the documentation suggests it should.
# 13
JOY! Changed the password and netstat -an|grep 443 now shows that it's listening. And finally, I can open a secure http connection!
Thanks for your help Jay - the post you made in a separate thread put me back on track. Sun's documentation is poor in this respect; anything like the steps you wrote in that thread would have spared me a lot of mining.
# 14
Glad you found it!jay
