The Graphical User Interface (GUI) of a NetScaler appliance is not accessible through HTTPS. An internal error appears when trying to install ns-server cert- key pair.

The following excerpt is from the ns.log file. You can observe that the NetScaler appliance is not recognizing ns-server certificate which is the default certificate to access the GUI of the appliance through HTTPS:

Apr 15 17:13:39 <local0.info> ns [368]: Command from ns.conf failed: add ssl certKey ns-server-certificate -cert ns-server.cert -fipsKey ns-server.key
Apr 15 17:14:15 <local0.info> ns nscli: nsnet_tcpipconnect: connect() failed; returned -1 errno=2 
Apr 15 17:14:32 <local0.info> ns nscli: nsnet_tcpipconnect: connect() failed; returned -1 errno=2 
Apr 15 17:14:50 <local0.info> ns nscli: nsnet_tcpipconnect: connect() failed; returned -1 errno=2
Apr 15 17:14:59 <local0.info> ns [368]: Command from ns.conf failed: bind ssl service nshttps-aaa.bbb.110.7-443 -certkeyName ns-server-certificate
Apr 15 17:14:59 <local0.info> ns [368]: Command from ns.conf failed: bind ssl service nsrpcs-aaa.bbb.110.7-3008 -certkeyName ns-server-certificate
Apr 15 17:15:00 <local0.info> ns [368]: Command from ns.conf failed: bind ssl service nshttps-::1l-443 -certkeyName ns-server-certificate
Apr 15 17:15:00 <local0.info> ns [368]: Command from ns.conf failed: bind ssl service nsrpcs-::1l-3008 -certkeyName ns-server-certificate
Apr 15 17:15:00 <local0.info> ns [368]: Command from ns.conf failed: bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
Apr 15 17:15:00 <local0.info> ns [368]: Command from ns.conf failed: bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
Apr 15 17:15:00 <local0.info> ns [368]: Command from ns.conf failed: bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate
Apr 15 17:15:00 <local0.crit> ns [368]: One or more commands in ns.conf failed
Apr 15 17:15:00 <local0.info> ns [368]: Finished executing commands in ns.conf
Apr 15 17:34:31 <local0.info> aaa.bbb.110.8 04/16/2013:00:34:31 GMT NETSCALER01A PPE-4 : UI CMD_EXECUTED 330 :  User nsroot - Remote_ip aaa.bbb.0.68 - Command "add ssl certKey ns-server-certificate -cert ns-server.cert -fipsKey ns-server.key -inform PEM "********" -expiryMonitor DISABLED -bundle NO" - Status "ERROR: Internal Error"
Apr 15 17:43:58 <local0.info> aaa.bbb.110.8 04/16/2013:00:43:58 GMT NETSCALER01A PPE-4 : UI CMD_EXECUTED 338 :  User nsroot - Remote_ip aaa.bbb.0.68 - Command "show ssl fipsKey" - Status "Success"

The following is an excerpt from the ns.log file after removing the FIPS key and reimporting it:

Apr 15 17:44:59 <local0.info> aaa.bbb.110.8 04/16/2013:00:44:59 GMT NETSCALER01A PPE-4 : UI CMD_EXECUTED 339 :  User nsroot - Remote_ip 1.1.1.1  - Command "rm ssl fipsKey ns-server.key" - Status "Success"
Apr 15 17:47:15 <local0.info> aaa.bbb.110.8 04/16/2013:00:47:15 GMT NETSCALER01A PPE-4 : UI CMD_EXECUTED 340 :  User nsroot - Remote_ip 1.1.1.1  - Command "import ssl fipsKey ns-server.key -key ns-server.key -inform PEM -exponent F4" - Status "Success"
Apr 15 17:47:27 <local0.info> aaa.bbb.110.8 04/16/2013:00:47:27 GMT NETSCALER01A PPE-4 : UI CMD_EXECUTED 341 :  User nsroot - Remote_ip 1.1.1.1 - Command "show ssl fipsKey" - Status "Success"
Apr 15 17:49:12 <local0.info> aaa.bbb.110.8 04/16/2013:00:49:12 GMT NETSCALER01A PPE-4 : UI CMD_EXECUTED 356 :  User nsroot - Remote_ip 1.1.1.1 - Command "add ssl certKey ns-server-certificate -cert ns-server.cert -fipsKey ns-server.key -inform PEM "********" -expiryMonitor DISABLED -bundle NO" - Status "Success"

To resolve the issues, complete the following steps:

1. Run the following commands to delete the existing FIPS key and reimport FIPS key:

   rm ssl fipsKey ns-server.key
   import ssl fipsKey ns-server.key -key ns-server.key -inform PEM -exponent F4
   add ssl certKey ns-server-certificate -cert ns-server.cert -fipsKey ns-server.key -inform PEM "********" -expiryMonitor DISABLED -bundle NO

2. Run the following command to identify the internal services:

   show service –internal | grep SSL

   

3. Run the following command to verify the status of each internal service:

   show service –internal –summary

   

4. If the status of the services are not UP, run the following command to bind new ns-server certificate to the internal services:

   bind ssl service nshttps-aaa.bbb.110.7-443 -certkeyName ns-server-certificate
   bind ssl service nsrpcs-aaa.bbb.110.7-3008 -certkeyName ns-server-certificate
   bind ssl service nshttps-::1l-443 -certkeyName ns-server-certificate
   bind ssl service nsrpcs-::1l-3008 -certkeyName ns-server-certificate
   bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
   bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
   bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate

After the ns-server certificate is imported and status of the internal services are UP, you should be able to access NetScaler appliance through HTTPS.

Problem Cause

The issue occurred because a replacement appliance certificate in the production was different from the one which customer had on the secondary NetScaler appliance of the high availability setup. The certificates were incompatible with the certificates of the other node and therefore caused the failures in the logs when the high availability pair synchronized files.