I see the following when I try to start an Apache instance on the IBM i HTTP server:

[Fri Oct 01 07:16:48.576264 2021] [mpm_worker:notice] [pid 846:tid 00000109] ZSRV_MSG0385: Apache/2.4.34 (IBM i) configured -- resuming normal operations.
[Fri Oct 01 07:16:48.818632 2021] [zend_enabler:notice] [pid 849:tid 00000019] Using [Zend Enabler module, Version 1.3.1] from [Zend Technologies Ltd.]
[Fri Oct 01 07:16:48.928128 2021] [ibm_ssl:error] [pid 849:tid 00000019] ZSRV_MSG09B5: The default key has an expired certificate or the password of key database file has expired, error = 107.
[Fri Oct 01 07:17:49.636512 2021] [mpm_worker:notice] [pid 846:tid 00000109] ZSRV_MSG0387: SIGTERM received. Shutting down.

Up until yesterday, the websites that had certificates behind this reverse proxy instance were running fine.  But the certificates on the websites were up for renewal so I renewed them, imported them into DCM and restarted the instance.  Since that point forward, the instance will not continue to run.  It will start fine, and run until one of the websites with a certificate is accessed.  Then the instance dies with the error above.

I ran into this once before and I happened to have Thomas Haze, the IBM'er who worked on the new DCM, sitting next to me at a Common conference.  We did a few things, which I cannot remember, but I thought I had fixed it by changing the certificate store password and restarting the HTTP server.  Apparently, that was NOT the fix, even though I had flagged it as such on this forum.

Researching this last night and this morning, I am not seeing a clear identification of what the problem actually is.  The message about the "default key" with an expired certificate or password, doesn't point specifically to where that "default key" is found. Obviously the certificate store password isn't the issue because it is easily changed and I have changed it a couple of times AND restarted the HTTP server.  I read a couple of articles about a "default certificate" setting and I do see a message about a default when I manage certificates in the *SYSTEM store:

View Certificate

Certificate type: Server or client
Certificate store: *SYSTEM
Default certificate label: *No default certificate found in certificate *

I am not sure if the "No default certificate" is something to be concerned about.  There a few articles I reviewed:

mcpressonline.com/it-infrastructure-other/general/locking-up-the-as400-http-server

https://www.ibm.com/docs/en/i/7.4?topic=dcm-troubleshooting-certificate-store-key-database-problems

https://www.ibm.com/support/pages/updating-expired-key-database-password

Neither seemed to address the issue.  I also found a few other articles but they seem not to be related to IBMi although they do reference the IBM HTTP server.  My gut tells me the issue is similar to the keystore issues that can sometimes occur with other servers that issue CSR's  but I am a bit lost on sorting out the issue on IBM i.  I wish I could remember how I fixed it before.

Any ideas here?  It was crickets last time but hopefully someone has bumped into this since I posted the similar issue 2 years ago.  On V7R4 FWIW.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.