Symptoms
- Switch from OA to Billing does not work.
Following error in log of UI (
/var/log/pa/pui/pui.log):07:28:42.348 [default task-9] DEBUG c.p.p.c.e.b.billing_manager.BMHelper - loginToBM failure details: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
Cause
Certificate of Billing Control Panel is expired:
# openssl s_client -showcerts -connect 192.0.2.2:443
CONNECTED(00000003)
depth=0 C = US, L = Renton, OU = Billing, CN = VIDASP20, emailAddress = root@VIDASP20
verify error:num=18:self signed certificate
...
Start Time: 1518777915
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
where 192.0.2.2 is the IP address of Billing UI.
Resolution
New SSL certificate required. Refer to KB article for additional information about Billing SSL.
As a workaround generate self signed certificate and replace the expired one:
[root@billing ~]# openssl req -new -nodes -x509 -out odintestcrt.crt -newkey rsa:1024 -keyout odintestcrt.crt -days 3650
Generating a 1024 bit RSA private key
..++++++
..++++++
writing new private key to 'odintestcrt.crt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
and replaced:
[root@billing ~]# mv /usr/local/bm/etc/httpd/www.crt{,.backup}
[root@billing ~]# cp odintestcrt.crt /usr/local/bm/etc/httpd/www.crt