I installed my CA on my Domino Server 6.01 without any problems, everything went fine, until suddenly an unexpected my self-provided SSL-keyring seems to be corrupt…
When the http-Task starts with enabled SSL-Port the console message is:
HTTP Server: SSL handshake failure, IP address [MY IP-ADDRESS], Keyring [Serverkeyfile.kyr], [SSL Error: Keyring file not found], code [4164]
Whenever someone wants to use SSL from a browser the console-message is:
The KeyRing filename is correct and the .STH-File is in the same locattion as the keyring.
I changed absolutely nothing that could have anything to to with my SSL-configuration. I get this message on every start of the http-task. Even laoding the CA-task didn´t solve the problem…
Does anyone have an idea what might happend !?! How can I fix this ? Do I have to install a new keyring ?!
I am getting the same - the keyfile.kyr file permissions keep getting changed and thus the solution to copy-in the file(s) before starting the server fixes it.
I have a test server running on XP Pro and once the server starts, the permissions for SYSTEM (running the service) are removed from the .kyr file.
I keep restoring the permissions and tried to stop SYSTEM being able to change permissions and not take ownership but to no avail.
We had the exact same problem on our Windows 2000 server. This server was rebuild, and placed in the DMZ. Before starting the Domino server for the first time, we copied over the system files like names.nsf, notes.ini, etc., along with the .kyr files.
The files were copied over using an FTP program. I believe that’s what caused the .kyr files to have the wrong permission on them. Get a fresh copy of the .kyr files, delete the old ones and replace them. Right-click, and put “Everyone” in the permission list will full rights for the two .kyr files.
Subject: Domino 6.0.2 CF2 insists on changing permissions on selfcert.kyr for SSL
I had problems with a Domino 6.0.2 CF2 on my laptop. I use it for development, serving up large database (like this forum) The server code is much faster and more stable. Run it as a service, so it runs as SYSTEM.
What really annoys me though is that it unless I give SYSTEM full access, it will not use selfcert.kyr. And when I give it full access, it insists on removing all acces but for the owner.
Solution: make the Administrators group owner of selfcert.kyr, and add SYSTEM to the Administrators group.
Another option would be to create a special user to run the service, and assign ownership of selfcert.kyr to that user. This has the added (dis)advantage of not showing the Domino console. Whatever suits your preference.
Could y’all give feedback how this has helped you?
