Re: [389-users] SSL Question

Wed, 19 Oct 2011 08:09:26 -0700 

On 10/19/2011 08:38 AM, Chris Cawley wrote:


Went back to the docs again and this resolved that issue:


certutil -A -i /var/tmp/wrlc.org.crt  -t "u,u,u" -d 
/etc/dirsrv/slapd-ldap -n "server-cert"


However, I now get this error:


[19/Oct/2011:10:34:36 -0400] - SSL alert: CERT_VerifyCertificateNow: 
verify certificate failed for cert server-cert of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 
- Peer's Certificate issuer is not recognized.)



This means the issuer of certificate "server-cert" (i.e. the CA cert) is 
unknown to the server.



You also need to add the CA cert of the CA that issued the wrlc.org.crt 
cert.


I am guessing that there are other certutil commands?


There are many, many certutil commands.


BTW, this all came about because the gui does not support 2048 bit csr's.


Please file a bug.


-Thanks


*From:*389-users-boun...@lists.fedoraproject.org 
[mailto:389-users-boun...@lists.fedoraproject.org] *On Behalf Of 
*Chris Cawley

*Sent:* Wednesday, October 19, 2011 10:24 AM

*To:* Rich Megginson; General discussion list for the 389 Directory 
server project.

*Subject:* Re: [389-users] SSL Question

Thanks, I am now getting the same error as one of the earlier posts:

http://osdir.com/ml/linux.redhat.fedora.directory.user/2006-08/msg00161.html


[19/Oct/2011:10:23:44 -0400] - SSL alert: Security Initialization: 
Can't find certificate (server-cert) for family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 
- security library: bad database.)



[19/Oct/2011:10:23:44 -0400] - SSL alert: Security Initialization: 
Unable to retrieve private key for cert server-cert of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 
- security library: bad database.)


[19/Oct/2011:10:23:44 -0400] - SSL failure: None of the cipher are valid

[19/Oct/2011:10:23:44 -0400] - ERROR: SSL Initialization phase 2 Failed.

I am trying to use a wildcard for the cert.

However, I did not see the answer.

-Thanks

-Chris

*From:*Rich Megginson [mailto:rmegg...@redhat.com]
*Sent:* Wednesday, October 19, 2011 9:09 AM
*To:* General discussion list for the 389 Directory server project.
*Cc:* Chris Cawley
*Subject:* Re: [389-users] SSL Question

On 10/19/2011 06:59 AM, Chris Cawley wrote:

When I look in the console/manage cert/etc.


See 
http://directory.fedoraproject.org/wiki/Howto:SSL#Viewing_the_list_of_built-in_CA_certs


Chris


*From:*389-users-boun...@lists.fedoraproject.org 
<mailto:389-users-boun...@lists.fedoraproject.org> 
[mailto:389-users-boun...@lists.fedoraproject.org] *On Behalf Of 
*Gerhardus Geldenhuis

*Sent:* Wednesday, October 19, 2011 8:58 AM
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] SSL Question


When do you get that? When you start 389ds or when you run certutil 
scripts?


Regards

2011/10/19 Chris Cawley <caw...@wrlc.org <mailto:caw...@wrlc.org>>

Sorry, the error that I get is

"Broken Certificate Chain"

-Chris


*From:*389-users-boun...@lists.fedoraproject.org 
<mailto:389-users-boun...@lists.fedoraproject.org> 
[mailto:389-users-boun...@lists.fedoraproject.org 
<mailto:389-users-boun...@lists.fedoraproject.org>] *On Behalf Of 
*Gerhardus Geldenhuis

*Sent:* Wednesday, October 19, 2011 8:49 AM
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] SSL Question

Hi Chris,


Not seen that before could you detail the steps you have taken thus 
far to get to the point you at now.


Regards

2011/10/19 Chris Cawley <caw...@wrlc.org <mailto:caw...@wrlc.org>>

Hello --

We are in the process of setting up SSL on 389 ds; however,

it appears that the CA cert db is empty.  The builtin tokens

are not even loaded.  Any ideas why?

-Thanks

Chris Cawley

System Administrator

Washington Research Library Consortium

301-390-2049 <tel:301-390-2049>

caw...@wrlc.org <mailto:caw...@wrlc.org>


--
389 users mailing list

389-us...@lists.fedoraproject.org 
<mailto:389-us...@lists.fedoraproject.org>

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
Gerhardus Geldenhuis


--
389 users mailing list

389-us...@lists.fedoraproject.org 
<mailto:389-us...@lists.fedoraproject.org>

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
Gerhardus Geldenhuis


  
  
--

389 users mailing list
389-us...@lists.fedoraproject.org  <mailto:389-us...@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users




--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





















					Reply via email to