FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.


Aug 13, 2015, 10:18 AM
324 Posts

Notes Crash running KYRTool 1.01

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 3

It's time to update an expiring SSL certificate, and I'm following instruction here -> http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool

My first issue was in step 6a - Concatenating the key file and certificates into one file - I received a KYRTOOL error - SECIssUpdateKeyringPrivateKey returned error 0x0720 - Syntax error in OID. Having run into this before, I went on to 6b to import each separately.

Step 7, examine the resulting Keyring file, shows the keys OK, then appears to show the certs OK, but then crashes my notes client!

 

C:\Program Files (x86)\IBM\Notes>kyrtool =notes.ini show certs -k "D:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr"

Using keyring path 'D:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr'


Certificate #0

Subject:        CN=www.xxxxxxxx.com/O=xxxxxxxx Corporation/L=xxxxxxxx/ST=xxxxxxxx/C=US/POST=xxxxxxxx/XX=xxxxxxxx/SerialNumber=xxxxxxxx/XX=xxxxxxxx/XX=US/XX=Private Organization
Issuer:         CN=DigiCert SHA2 Extended Validation Server CA/OU=www.digicert.com/O=DigiCert Inc/C=US
Not Before:     08/11/2015 20:00:00
Not After:      11/09/2017 07:00:00
Key length:     4096 bits


[1A3C:0002-1F7C]  Thread=[1A3C:0002-1F7C]
[1A3C:0002-1F7C] Stack base=0x0042DEC0, Stack size = 9468 bytes
[1A3C:0002-1F7C] PANIC: LookupHandle: handle out of range

C:\Program Files (x86)\IBM\Notes>

I'm using Notes 9.0.1FP3 client with KYRTool 1.01 from April 2015.

Any ideas?

 

 

Aug 13, 2015, 12:41 PM
191 Posts
No crash for me on 9.0.1 FP4 and same version of kyrtool
I don't have your data, so I can't test to see if it's a data problem, but given the OID error, there's a decent chance that's related. I'd focus on determining why the certificate is bad.
Aug 13, 2015, 2:50 PM
57 Posts
No issues doing this on 9.0.1 FP2

I just renewed our SSL cert last week using the same version of KYRTool without issues.  I also used the concatenating process described in 6a Option 1.

 

Take a look at this page:

http://xpagesandmore.blogspot.com/2015/03/notes-901-fp3-if3-tls-12.html

Search the page for "OID" and you'll see an SPR that was addressed by Notes 9.0.1 Fix Pack 3 Interim Fix 3 that states:

"...kyrtool import all sometimes reports "SECIssUpdateKeyringPrivateKey returned error 0x0720", "AVA separator not found" or "Syntax error in OID" when a '/' is in a certificate name part".

So, if that applies to your situation, maybe update to FP3 IF3 or higher (FP4 is available as Chad Scott notes in his post) and see if it fixes the issue.

Aug 13, 2015, 4:43 PM
324 Posts
Installed IF3 for FP3 and it appears to have solved both issues!

Thanks, Mark , for the tip!

Installed IF3 for FP3 and it appears to have solved both the 0x0720 as well as the subsequent crash!

We'll see what happens tonight when I try to use the new certificate!

Thanks, Graham, for the tip re: SPR DKEN9RVQGD being resolved in Notes 9.0.1 FP3 IF3!!


FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.