10.8 Upgrade Issue

After upgrading OES 2015 SP1 or older OES versions to OES 2018 SP1 or later, during tier creation in CIS management console, the server option fails to list the OES server and displays an error, “Certificate is not valid for any names, but tried to match with <host>”. Because the eDirectory certificates in OES 2015 SP1 and older versions do not add DNS name in the Subject Alternative Name (SAN).

Verify the Certificate

To view the certificate details, run the following command:

openssl x509 -in /etc/ssl/servercerts/servercert.pem -noout -text

The output:

X509v3 Subject Alternative Name:
IP Address:192.168.2.33, DNS:blr-2-33.example.com

If the Subject Alternative Name (SAN) value does not display the IP Address and DNS entries, you must repair the eDirectory certificate.

To repair the eDirectory certificates on the upgraded CIS server:

  1. Log in to iManager as Admin.

  2. Go to Roles and Tasks > NetIQ Certificate Server > Repair Default Certificates.

  3. Select the server(s) that own the certificates and click Next.

  4. Choose the default certificate options and then click Next.

    1. Select Yes All Default Certificates will be overwritten.

    2. Select Create SSL CertificateIP and click the other option to specify the IP address you want to use.

    3. Under Default DNS Address, click the other option to specify the DNS address you want to use.

  5. Review the tasks to be performed and select Finish.

  6. Restart eDirectory service.

  7. Restart the following services:

    CIS Agent: systemctl restart oes-cis-agent.service

    Scanner: systemctl restart oes-cis-scanner.service

    Recall Agent: systemctl restart oes-cis-recall-agent.service

For more information on repairing server certificates, see Micro Focus knowledge base article 7013080.