Notes Crash running KYRTool 1.01

hcl-bot · August 13, 2015, 9:18am

It’s time to update an expiring SSL certificate, and I’m following instruction here → http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool

My first issue was in step 6a - Concatenating the key file and certificates into one file - I received a KYRTOOL error - SECIssUpdateKeyringPrivateKey returned error 0x0720 - Syntax error in OID. Having run into this before, I went on to 6b to import each separately.

Step 7, examine the resulting Keyring file, shows the keys OK, then appears to show the certs OK, but then crashes my notes client!

C:\Program Files (x86)\IBM\Notes>kyrtool =notes.ini show certs -k “D:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr”

Using keyring path ‘D:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr’

Certificate #0

Subject: CN=www.xxxxxxxx.com/O=xxxxxxxx Corporation/L=xxxxxxxx/ST=xxxxxxxx/C=US/POST=xxxxxxxx/XX=xxxxxxxx/SerialNumber=xxxxxxxx/XX=xxxxxxxx/XX=US/XX=Private Organization
Issuer: CN=DigiCert SHA2 Extended Validation Server CA/OU=www.digicert.com/O=DigiCert Inc/C=US
Not Before: 08/11/2015 20:00:00
Not After: 11/09/2017 07:00:00
Key length: 4096 bits

[1A3C:0002-1F7C] Thread=[1A3C:0002-1F7C]
[1A3C:0002-1F7C] Stack base=0x0042DEC0, Stack size = 9468 bytes
[1A3C:0002-1F7C] PANIC: LookupHandle: handle out of range

C:\Program Files (x86)\IBM\Notes>

I’m using Notes 9.0.1FP3 client with KYRTool 1.01 from April 2015.

Any ideas?

hcl-bot · August 13, 2015, 11:41am

Subject: No crash for me on 9.0.1 FP4 and same version of kyrtool

I don’t have your data, so I can’t test to see if it’s a data problem, but given the OID error, there’s a decent chance that’s related. I’d focus on determining why the certificate is bad.

hcl-bot · August 13, 2015, 1:50pm

Subject: No issues doing this on 9.0.1 FP2

I just renewed our SSL cert last week using the same version of KYRTool without issues. I also used the concatenating process described in 6a Option 1.

Take a look at this page:

XPages and more: Notes 9.0.1 FP3 IF3 - TLS 1.2 http://xpagesandmore.blogspot.com/2015/03/notes-901-fp3-if3-tls-12.html

Search the page for “OID” and you’ll see an SPR that was addressed by Notes 9.0.1 Fix Pack 3 Interim Fix 3 that states:

“…kyrtool import all sometimes reports “SECIssUpdateKeyringPrivateKey returned error 0x0720”, “AVA separator not found” or “Syntax error in OID” when a ‘/’ is in a certificate name part”.

So, if that applies to your situation, maybe update to FP3 IF3 or higher (FP4 is available as Chad Scott notes in his post) and see if it fixes the issue.

hcl-bot · August 13, 2015, 3:43pm

Subject: Installed IF3 for FP3 and it appears to have solved both issues!

Thanks, Mark , for the tip!

Installed IF3 for FP3 and it appears to have solved both the 0x0720 as well as the subsequent crash!

We’ll see what happens tonight when I try to use the new certificate!

Thanks, Graham, for the tip re: SPR DKEN9RVQGD being resolved in Notes 9.0.1 FP3 IF3!!