Friday, May 20, 2016

SharePoint 2013: A required certificate is not within its validity period

Problem

You are performing a routine check on your farm's Search service crawl history and you discover that incremental crawls are generating increasing errors.  It is a Tuesday.  Reviewing crawl history, you found that beginning at 12:55 PM on Monday, errors began increasing during incremental crawls.  Incremental crawls are configured on your farm to run every 15 minutes, from 4 AM for 16 hours, Mon-Sat. From 11 errors at 12:55 PM, Monday, it went to 21 errors by 7:40 PM that same day.  By Tuesday, 11:11 AM, 40 errors encountered during incremental crawls.  This is a two-tier, two server farm, externally-facing.  SharePoint Server 2013 Enterprise, patched current.  Tumbleweed standard is installed on all farm servers.

Troubleshooting

  1. Check Central Administration Problems and Solutions report: found nothing related to crawling or search.
  2. Check server event logs: found that beginning at 12:55:32 PM, Monday, the following appears in batches of 5 or so, every 10-15 minutes:
    Log Name:      Application
    Source:        Microsoft-SharePoint Products-SharePoint Foundation
    Date:          Monday 12:55:33 PM
    Event ID:      8311
    Task Category: Topology
    Level:         Error
    Keywords:      
    User:          DOMAIN\spContent
    Computer:      [SharePoint server]
    Description:
    An operation failed because the following certificate has validation errors:
    
    Subject Name: CN=[domain name], OU=[organization], O=[company], L=[city], 
    S=[state], C=[country]
    Issuer Name: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust 
    Network, O=Symantec Corporation, C=[country]
    Thumbprint: [thumbprint]
    
    Errors:
    
     NotTimeValid: A required certificate is not within its validity period 
    when verifying against the current system clock or the timestamp in the 
    signed file.
    .
    Event Xml:
    ...
    
    followed by
    Log Name:      Application
    Source:        Microsoft-SharePoint Products-SharePoint Foundation
    Date:          Monday 12:57:38 PM
    Event ID:      2159
    Task Category: Unified Logging Service
    Level:         Error
    Keywords:      
    User:          DOMAIN\spSearch
    Computer:      [server]
    Description:
    Event 8311 (SharePoint Foundation) of severity 'Error' occurred 15 
    more time(s) and was suppressed in the event log
    Event Xml:
    ...
    
  3. Check Site Access: you open a browser and try connecting to the root farm content site.  The connection is successful and the landing page displays without issue.  Checking the URL's certificate status, you find that the certificate is valid and no issues.  Customer access to their content is unaffected.
  4. Check Search Index: you perform a simple search and find search results returned as expected.  Customer search capability is not affected.  However, you are aware that new content will not be searchable.
  5. Perform Literature Search: searched on event message text and found a number of postings related.  Most postings indicated the current issue involved expired certificates.  However, the certificate in this case was valid and within its date range.
  6. Check IIS Server Certificates: you found two certificates for the web server, the one you installed and a new one.  The existing one expired Tuesday, today.  The new one is valid beginning Sunday.  Thus there is overlap between the certificate that expired and the certificate that was newly installed.  You check with the lead sysadmin, who informs you that he installed certificates the Friday previous.
  7. Check Crawl History Again: checking crawl history again later, you find that crawl errors began to decrease 2:08 PM the same day, and that by 2:15 PM crawls were completing successfully as they had previously.

Solution

  1. Check site access and searchability of existing content: if these are successful then you need not worry about customer site access and searchability of existing content.
  2. Do nothing: If after checking certificate expiration, you find that it is valid, it may be that some caching is involved and that it will take awhile for old certificate information to be flushed and new certificate information recognized by Search crawler.

References

No comments: