Hi Dan,
Yes, dirsrv does indeed start. Here is what I receive from the openssl command (the important bits): verify error:num=19:self signed certificate in certificate chain verify return:0 ... Verify return code: 19 (self signed certificate in certificate chain) Kyle On 2013-07-17 12:04, Dan Lavu wrote: > Sorry the command is something like > > $ openssl s_client -connect localhost:443 > > it's not verify… > > On Jul 17, 2013, at 12:03 PM, Dan Lavu <d...@lavu.net> wrote: > Kyle, > > Does dirsrv start? If it does start, have you tried running 'openssl verify > HOSTNAME:PORT' to validate the certificate? > > Dan > > On Jul 17, 2013, at 10:55 AM, Kyle Johnson <kjohn...@gnulnx.net> wrote: > > Hello everyone, > > I have been receiving help from richm in the #389 channel for the last few > days, but haven't made much progress, so I'd like to move the conversation > somewhere a little more persistent. > > My issue is that after manually enabling SSL by following the instructions at > ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled [1] > (that is, not using the setupssl2.sh script) and installing my CA and public > and private key bundle, I am receiving the following error when starting > dirsrv. > I also receive this error if I run the setupssl2.sh script and then replace > the certificates and keys generated by it with the ones below. > > [root@ldap005 slapd-ldap005]# service dirsrv restart > Shutting down dirsrv: > ldap005... [ OK ] > Starting dirsrv: > ldap005...[17/Jul/2013:14:41:21 +0000] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > ldap005.infra.dfw of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8016 - unknown) > [ OK ] > [root@ldap005 slapd-ldap005]# > > Here is a list of the installed certs: > ca001.zhv.domain.com [2] CT,, > ldap005.infra.dfw u,u,u > > And the installed keys: > < 0> rsa a25fae676b83cfeb52d1fdc671aa74a34ef4ee8c ldap005.infra.dfw > > My versions of 389 are as follows: > 389-ds-console-1.2.6-1.el6.noarch > 389-ds-1.2.2-1.el6.noarch > 389-ds-base-1.2.11.15-14.el6_4.x86_64 > 389-admin-console-1.1.8-1.el6.noarch > 389-ds-console-doc-1.2.6-1.el6.noarch > 389-dsgw-1.1.9-1.el6.x86_64 > 389-adminutil-1.1.15-1.el6.x86_64 > 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64 > 389-console-1.1.7-1.el6.noarch > 389-admin-1.1.29-1.el6.x86_64 > 389-admin-console-doc-1.1.8-1.el6.noarch > > I would like to note that I have this working on another of my 389 servers, > the difference being that 389-ds-base is an earlier version: > 389-console-1.1.7-1.el6.noarch > 389-ds-base-1.2.10.2-20.el6_3.x86_64 > 389-admin-console-1.1.8-1.el6.noarch > 389-ds-console-doc-1.2.6-1.el6.noarch > 389-dsgw-1.1.9-1.el6.x86_64 > 389-adminutil-1.1.15-1.el6.x86_64 > 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64 > 389-admin-1.1.29-1.el6.x86_64 > 389-ds-console-1.2.6-1.el6.noarch > 389-admin-console-doc-1.1.8-1.el6.noarch > 389-ds-1.2.2-1.el6.noarch > > Please let me know what other information you would need to help me with > troubleshooting this issue. > > Kyle Johnson > > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users [3] -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users [3] Links: ------ [1] http://ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled [2] http://ca001.zhv.domain.com [3] https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
