How to Fix Oracle HTTP Server (OHS) Certificate Expiration Errors (SSL & Wallet Guide)

During a routine environment restart, we found we could not start OHS successfully. The Node Manager service would start, but any attempt to launch ohs_component would fail. All other tests of the services passed, so we ruled out a number of possible causes. The Node Manager logs showed “Failed to start the server” and an exit status = 1 message:

<2026-04-01 07:23:57> <SEVERE> <OHS-0> <F:\Oracle\Middleware\ohs\ohs\bin\launch.exe F:\Oracle\Middleware\ohs\ohs\bin\httpd.exe -DOHS_MPM_WINNT -d F:/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs/config/fmwconfig/components/OHS/instances/ohs_component -f F:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\fmwconfig\components\OHS\instances\ohs_component\httpd.conf: exit status = 1>

<2026-04-01 07:23:57> <INFO> <OHS-4005> <Check the instance log file for more information: F:\Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\servers\ohs_component\logs\ohs_component.log>

<2026-04-01 07:23:57> <SEVERE> <OHS-0> <Failed to start the server ohs_component>

The ohs_component.log entries had SSL errors, which we found unusual because we didn’t have SSL ‘turned on’ in OHS at the time:

[2026-03-31T15:26:41.0132-05:00] [OHS] [ERROR:32] [OH99999] [ossl] [client_id: 127.0.0.1] [host_id: hostname] [host_addr: 10.0.0.1] [pid: 3616] [tid: 5328] [user: MYOB] [VirtualHost: localhost:0] OHS:2079 Client SSL handshake error, nzos_Handshake returned 29005(server localhost:443)

[2026-03-31T15:26:41.0132-05:00] [OHS] [ERROR:32] [OH99999] [ossl] [host_id: hostname] [host_addr: 10.0.0.1] [pid: 3616] [tid: 5328] [user: MYOB] [VirtualHost: localhost:0] OHS:2171 NZ Library Error: Unknown error

[2026-03-31T15:27:43.2783-05:00] [OHS] [ERROR:32] [OH99999] [ossl] [client_id: 127.0.0.1] [host_id: hostname] [host_addr: 10.0.0.1] [pid: 3616] [tid: 5304] [user: MYOB] [VirtualHost: localhost:0] OHS:2079 Client SSL handshake error, nzos_Handshake returned 29005(server localhost:443)

[2026-03-31T15:27:43.2793-05:00] [OHS] [ERROR:32] [OH99999] [ossl] [host_id: hostname] [host_addr: 10.0.0.1] [pid: 3616] [tid: 5304] [user: MYOB] [VirtualHost: localhost:0] OHS:2171 NZ Library Error: Unknown error

[2026-03-31T15:27:44.4163-05:00] [OHS] [NOTIFICATION:16] [AH00422] [mpm_winnt] [host_id: hostname] [host_addr: 10.0.0.1] [pid: 1244] [tid: 720] [user: MYOB] [VirtualHost: main] AH00422: Parent: Received shutdown signal -- Shutting down the server.

[2026-03-31T15:28:14.4171-05:00] [OHS] [NOTIFICATION:16] [AH00431] [mpm_winnt] [host_id: hostname] [host_addr: 10.0.0.1] [pid: 1244] [tid: 720] [user: MYOB] [VirtualHost: main] AH00431: Parent: Forcing termination of child process 3616

[2026-03-31T15:28:19.5007-05:00] [OHS] [ERROR:32] [OH99999] [ossl] [host_id: hostname] [host_addr: 10.0.0.1] [pid: 24536] [tid: 756] [user: MYOB] [VirtualHost: localhost:0] OHS:2057 Init: (localhost:443) Unable to initialize SSL environment, nzos call nzosSetCredential returned 28791

We found some documentation online that indicated our error could be caused by an Oracle Wallet certificate, self-signed by the host, had expired. OHS apparently creates an Oracle Wallet at installation or initial configuration. This wallet has generic self-signed certificates with a 5-year expiration date. Normally you’d move to a new version of Windows or Linux before ever reaching this date, or move to a cloud instance. However, in our case, this client had been on a very old version of EPM and had no intention of moving soon. Patching from 11.2.5 to 11.2.14 did not reset this date, and other checks have shown 11.2.24 patches applied to 11.2.23 do not reset this date either.

Now, if you have created a new Oracle Wallet because you’ve added your own SSL certificates for end-to-end SSL or SSL terminated at OHS, this is separate from your hostname certificates you are used to renewing yearly. This fix is far easier and doesn’t require your corporate security to issue a new certificate, too!

Create a backup of your expired wallet, say F:\testwallet\default .. it may have been in the original location of Oracle\Middleware\user_projects\epmsystem1\httpConfig\ohs\config\fmwconfig\components\OHS\instances\ohs_component\keystores\default .. if you created your own wallet for SSL then it could be elsewhere, defined by your ssl.conf file.

You’ll check your certificate expiration by entering a command like:
F:\Oracle\Middleware\oracle_common\bin\orapki wallet export -wallet F:\testwallet\default  -dn "CN=localhost,OU=FOR TESTING ONLY,O=FOR TESTING ONLY" -cert F:\testwallet\default\server.cer

You can then double-click on the server.cer file and examine the creation and expiration dates.

If you’re not using SSL in OHS, you can just create a new wallet.sso file and copy it to the required location:

F:\Oracle\Middleware\oracle_common\bin\orapki wallet add -wallet F:\testwallet\default  -dn "CN=localhost,OU=FOR TESTING ONLY,O=FOR TESTING ONLY" -keysize 2048 -self_signed -validity 3650 -sign_alg sha256 -auto_login_only

If you ARE using OHS SSL you’ll also want to add your existing certificates to this new wallet using your organization’s approved processes.

Issues like expired Oracle HTTP Server certificates can be difficult to diagnose, especially when they surface as unexpected SSL errors or service startup failures. As environments age or remain on long-standing versions, these types of hidden dependencies can quickly disrupt operations if not proactively managed.

At iArch Solutions, we help organizations maintain, troubleshoot, and optimize their Oracle EPM environments, including resolving complex infrastructure and configuration issues like OHS, WebLogic, and SSL integrations. Whether you’re dealing with an urgent outage or looking to proactively strengthen your environment, our team brings the experience needed to keep your systems running smoothly.

Schedule a discovery call today to discuss your environment and how we can help.