Certmgr Error - Your public key does not match the one stored in the Address Book

anon-2296 · March 21, 2023, 3:15pm

I do get this error. Does anybody have an idea ?
I did check the public key. It's correct.

Thanks
Paul

-----

load certmgr -c -ACCEPT_TOU

Your public key does not match the one stored in the Address Book

21.03.2023 15:58:23 CertMgr: Fatal: Cannot run CertMgr server, because server.id private key does not match public key in server document! : Your public key does not match the one stored in the Address Book
21.03.2023 15:58:23 CertMgr: Terminating CertMgr to avoid CertMgr operations to fail. Correct the server document and restart CertMgr.
21.03.2023 15:58:23 CertMgr: Shutdown

Tode · March 21, 2023, 3:40pm

How did you check the public key on server.id?

You need to copy the server.id from your server to a place where you can access it with your admin client. Don't use a saved server.id from anywhere else: It might not be the one used at the moment...

Then use the admin- client to copy the public key from that id and compare it to the one in the server document. Do they really match?

anon-2296 · March 21, 2023, 3:45pm

Thanks for your quick reply. And yes - they match. 100%.
To be sure I did copy the public key already.

Shrikant · March 21, 2023, 4:51pm

Paul, I do see the same error when the public doesn't match as below.

I did correct the public key in the server document and followed by issuing the below server command. I can see I am able issue the TOU certmgr command.

Load updall -t ($Servers) names.nsf -R

Thank you.

Regards

Shrikant J

Shrikant · March 23, 2023, 8:36am

Recently similar issue was seen with other customer where the public key of the server ID was indeed matching with the server document however, the certstore was still showing the error.

After investigation it was found in one of the person document in the directory it was having the server name in the user name field.

Example server name is user name field of one of the person document.

If this is not the case with you then, you can check the hidden views "$Users, $Certifiers and $Servers" in the NAB to know if you find a hit for CN=servername/O=Orgname name that is failing.

If it appears in $Users or $Certifiers view please check how the server entry exist in this view.

To understand where it is trying to lookup you can quickly enable the name lookup debug on the Domino server.

Steps:

1) Enable the below name lookup debug

Set config Debug_Namelookup=1

2) Issue the cermgr command

load certmgr -c -ACCEPT_TOU

3) Stop the name lookup debug after the error is produced.

Set config Debug_Namelookup=0

Verify the logs to know where the lookups are being done for the server name.

Thank you

Regards

Shrikant J

Pramod · March 21, 2023, 5:51pm

Hello @Paul Maechler

In addition to update shared by Shrikant, kindly check below steps also and check if it helps.

Open the Server address book (Domino Directory) and

Hold down Ctrl+Shift keys and click on View - Go To.

Kindly select $Users view and check for mentioned Server document entry, if there are any duplicate entries.

We would need to remove the duplicate entry if found.

Requesting you to kindly take back up of domino directory before deleting any information.

Regards,

Pramod

anon-2297 · May 1, 2023, 6:17pm

Hi There same problem here, ( HCL Release 12.0.2FP1 ) Linux

All seems fine. I did a restore of the ID and the names from the backup test, negative.

Did it with a copy of the admin server names nsf, negative.

5/01/2023 08:05:30 PM Error updating local ID file: The public keys specified in the Name Change Request do not match those specified in the new certificate ( Strange I did nothing ? )

05/01/2023 08:05:33 PM CertMgr: Fatal: Cannot run CertMgr server, because server.id private key does not match public key in server document!
: Your public key does not match the one stored in the Address Book
05/01/2023 08:05:33 PM CertMgr: Terminating CertMgr to avoid CertMgr operations to fail. Correct the server document and restart CertMgr.
05/01/2023 08:05:33 PM CertMgr: Shutdown

Any sugestions are welcome.

Regards,

John

anon-2297 · May 1, 2023, 6:23pm

Sorry here the rest,

> load certmgr -importkyr key.kyr | all
05/01/2023 08:21:06 PM CertMgr: Fatal: Cannot run CertMgr server, because server.id private key does not match public key in server document!
: Your public key does not match the one stored in the Address Book
05/01/2023 08:21:06 PM CertMgr: Terminating CertMgr to avoid CertMgr operations to fail. Correct the server document and restart CertMgr.
05/01/2023 08:21:06 PM CertMgr: Shutdown|

> load certmgr -c -ACCEPT_TOU
05/01/2023 08:22:33 PM Remote console command issued by John Willemse/BADKEY/NL: load certmgr -c -ACCEPT_TOU
05/01/2023 08:22:33 PM CertMgr: Fatal: Cannot run CertMgr server, because server.id private key does not match public key in server document!
: Your public key does not match the one stored in the Address Book
05/01/2023 08:22:33 PM CertMgr: Terminating CertMgr to avoid CertMgr operations to fail. Correct the server document and restart CertMgr.
05/01/2023 08:22:33 PM CertMgr: Shutdown

Regards John

Shrikant · May 2, 2023, 1:10am

There are below things to check for this issue.

1) Check the public in the server ID file is indeed matching with the one stored in the server document public key in the Domino directory.

2) Any person document in the directory is having the server name in the user name field. Example as below in one of the person document under "User Name" field contains the server name.

3) You can check the hidden views "$Users, $Certifiers and $Servers" in the Domino Directory to know if you find a hit for CN=servername/O=Orgname name that is failing.

If it appears in $Users or $Certifiers view please check how the server entry exist in this view.

Thank you

Regards

Shrikant J

anon-2297 · May 2, 2023, 5:38am

Dear Shrikant,

Thanks for the fast respond. Wow where getting there. I follwed all testeps and, see below.

Almost 100% up and running again after the update to HCL 12

Still I have some issue's in the log,

1) 05/02/2023 07:00:20 AM CertStore: http: Cannot find TLS Credential for [selfcert.kyr] (RSA: 1, ECDSA: 1) : Entry not found in index
05/02/2023 07:00:20 AM HTTP Server: SSL Error: Keyring file not found, key ring file [selfcert.kyr], [Default Server]

- I know in the past I had a self signed cert created in the OTAP envirement must be a left over. How can I get rid of it ?

2) Do not like to see 'less secure mode' in log files. How to adjust this ?

05/02/2023 07:12:31.19 AM [114244:000002-00007F8E90D92500] CSRF Init: iNotes_WA_Security_ReturnUrlCheck> c_CSRFReturnUrlCheck: 1
iNotes Init: Credential Store Configuration not enabled, less secure mode.

3) The actions I'm taken here are the upgrade to Domino 12 and after that get a certificate for the web cluster via Let's Encrypt.

Thanks already for the support !

Restart after restored public key in the server document,
05/02/2023 06:55:09 AM The recovery information was not accepted because it is the same or older than your current recovery information
05/02/2023 06:55:09 AM Creation date of recovery info in ID file is 04/12/2003 09:31:40 AM

load certmgr -c -ACCEPT_TOU
05/02/2023 07:00:05 AM Remote console command issued by John Willemse/BADKEY/NL: load certmgr -c -ACCEPT_TOU
05/02/2023 07:00:10 AM CertMgr: Restarting HTTP Task to update configuration
05/02/2023 07:00:11 AM Pushing names.nsf to NLDBSNRK99/BADKEY/NL names.nsf
05/02/2023 07:00:14 AM Directory Assistance is updating server info in internal tables (Server records in primary directory have changed)
05/02/2023 07:00:17 AM XSP Command Manager terminated
05/02/2023 07:00:18 AM INFO: The maximum number of file handles (80000) allowed for Domino is sufficient.
05/02/2023 07:00:20 AM HTTP Server: Shutdown
05/02/2023 07:00:20 AM CertStore: http: Cannot find TLS Credential for [selfcert.kyr] (RSA: 1, ECDSA: 1) : Entry not found in index
05/02/2023 07:00:20 AM HTTP Server: SSL Error: Keyring file not found, key ring file [selfcert.kyr], [Default Server]
05/02/2023 07:00:20 AM HTTP Server: Using Web Configuration View
05/02/2023 07:00:22 AM CertMgr: Servertask already running
05/02/2023 07:00:22 AM CertMgr: Shutdown
05/02/2023 07:00:25 AM JVM: Java Virtual Machine initialized.
05/02/2023 07:00:25 AM HTTP Server: Java Virtual Machine loaded
05/02/2023 07:00:25.51 AM [114102:000002-00007F2CF9155500] CSRF Init: iNotes_WA_Security_ReturnUrlCheck> c_CSRFReturnUrlCheck: 1
05/02/2023 07:00:25 AM HTTP Server: ACME HTTP-01 Extension loaded - CertMgr Server: [NLDBSNRK99/BADKEY/NL]
iNotes Init: Credential Store Configuration not enabled, less secure mode.

05/02/2023 07:09:45 AM Remote console command issued by John Willemse/BADKEY/NL: tell http q
05/02/2023 07:09:46 AM XSP Command Manager terminated
05/02/2023 07:09:48 AM HTTP Server: Shutdown
05/02/2023 07:09:48 AM TLSCache-http: TLS Credential Cache terminated

on NLDBSNRK08/BADKEY/NL
05/02/2023 07:12:26 AM Remote console command issued by John Willemse/BADKEY/NL: l http
05/02/2023 07:12:27 AM CertStore: http: Cannot find TLS Credential for [selfcert.kyr] (RSA: 1, ECDSA: 1) : Entry not found in index
05/02/2023 07:12:27 AM HTTP Server: SSL Error: Keyring file not found, key ring file [selfcert.kyr], [Default Server]
05/02/2023 07:12:27 AM HTTP Server: Using Web Configuration View
05/02/2023 07:12:31 AM JVM: Java Virtual Machine initialized.
05/02/2023 07:12:31 AM HTTP Server: Java Virtual Machine loaded
05/02/2023 07:12:31 AM HTTP Server: ACME HTTP-01 Extension loaded - CertMgr Server: [NLDBSNRK99/BADKEY/NL]
05/02/2023 07:12:31.19 AM [114244:000002-00007F8E90D92500] CSRF Init: iNotes_WA_Security_ReturnUrlCheck> c_CSRFReturnUrlCheck: 1
iNotes Init: Credential Store Configuration not enabled, less secure mode.
05/02/2023 07:12:50 AM XSP Command Manager initialized
05/02/2023 07:12:50 AM HTTP Server: Started

Regards,

John

anon-2296 · May 2, 2023, 6:02am

Hi there !

My problem was solved by Daniel Nashed himself. I had a wrong value for the Mailserver in names.nsf in "Server Location Information" section.
For whatever reason.... (see bottom right).

Fixing that did the trick.

Cheers
Paul

anon-2297 · May 2, 2023, 9:29am

Nice !! and thanks Daniel.

Mine is also already solved. I had an old public key in de domino server iD. Pff.

Still some minor (I hope) messages in the logfile.

About a self signed cert and iNotes Init: Credential Store Configuration not enabled, less secure mode and The Keyring file not found, key ring file [selfcert.kyr].

Regards, John

DaveHabz · December 1, 2024, 3:44am

Paul's final post is commonly the issue. This happens if you do a server move using the method of starting the server with a temp ID file and later swapping it with the original server.