Re: DCM Key Database file error ZSRV_MSG09B5 after instance restart

I see the following when I try to start an Apache instance on the IBM i
HTTP server:

[Fri Oct 01 07:16:48.576264 2021] [mpm_worker:notice] [pid 846:tid
00000109] ZSRV_MSG0385: Apache/2.4.34 (IBM i) configured -- resuming
normal operations.
[Fri Oct 01 07:16:48.818632 2021] [zend_enabler:notice] [pid 849:tid
00000019] Using [Zend Enabler module, Version 1.3.1] from [Zend
Technologies Ltd.]
[Fri Oct 01 07:16:48.928128 2021] [ibm_ssl:error] [pid 849:tid 00000019]
ZSRV_MSG09B5: The default key has an expired certificate or the password
of key database file has expired, error = 107.
[Fri Oct 01 07:17:49.636512 2021] [mpm_worker:notice] [pid 846:tid
00000109] ZSRV_MSG0387: SIGTERM received. Shutting down.

Up until yesterday, the websites that had certificates behind this
reverse proxy instance were running fine. But the certificates on the
websites were up for renewal so I renewed them, imported them into DCM
and restarted the instance. Since that point forward, the instance will
not continue to run. It will start fine, and run until one of the
websites with a certificate is accessed. Then the instance dies with
the error above.

I ran into this once before and I happened to have Thomas Haze, the
IBM'er who worked on the new DCM, sitting next to me at a Common
conference. We did a few things, which I cannot remember, but I thought
I had fixed it by changing the certificate store password and restarting
the HTTP server. Apparently, that was NOT the fix, even though I had
flagged it as such on this forum.

Researching this last night and this morning, I am not seeing a clear
identification of what the problem actually is. The message about the
"default key" with an expired certificate or password, doesn't point
specifically to where that "default key" is found. Obviously the
certificate store password isn't the issue because it is easily changed
and I have changed it a couple of times AND restarted the HTTP server.
I read a couple of articles about a "default certificate" setting and I
do see a message about a default when I manage certificates in the
*SYSTEM store:

View Certificate

Certificate type: Server or client
Certificate store: *SYSTEM
Default certificate label: *No default certificate found in certificate *

I am not sure if the "No default certificate" is something to be
concerned about. There a few articles I reviewed:


mcpressonline.com/it-infrastructure-other/general/locking-up-the-as400-http-server


https://www.ibm.com/docs/en/i/7.4?topic=dcm-troubleshooting-certificate-store-key-database-problems

https://www.ibm.com/support/pages/updating-expired-key-database-password

Neither seemed to address the issue. I also found a few other articles
but they seem not to be related to IBMi although they do reference the
IBM HTTP server. My gut tells me the issue is similar to the keystore
issues that can sometimes occur with other servers that issue CSR's but
I am a bit lost on sorting out the issue on IBM i. I wish I could
remember how I fixed it before.

Any ideas here? It was crickets last time but hopefully someone has
bumped into this since I posted the similar issue 2 years ago. On V7R4
FWIW.

--
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.