Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can >>> start FDS in SSL mode, but when I run >>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA. >> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL > I did, but that didn't work for me. The only thing that I did this > time was generate a request from the "Manage Certificates", sign the > request using my OpenSSL CA, and install the Server and CA Certs. Then > I turned on SSL in the Admin console, and restarted the server. > > When I followed the instructions from the link, I couldn't even get > FDS to start in SSL mode. One problem may be that ldapsearch is trying to verify the hostname in your server cert, which is the value of the cn attribute in the leftmost RDN in your server cert's subject DN. What is the subject DN of your server cert? You can use certutil -L -n Server-Cert as specified in the Howto:SSL to print your cert. >>> >>> In /etc/ldap.conf, I have put in >>> TLS_CACERT /path/to/cert >> Is this the same /path/to/cacert.pem as below? > Yes >>> TLSREQCERT allow >>> ssl on >>> ssl start_tls >>> >>> If I run >>> openssl s_client -connect localhost:636 -showcerts -state -CAfile >>> /path/to/cacert.pem >>> >>> It looks OK >>> >>> Please help >>> >>> Thanks >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/61f5c9c0/attachment.bin