TLS trace: SSL3 alert write:fatal:unknown CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can 
>>> start FDS in SSL mode, but when I run
>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert write:fatal:unknown CA.
>> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL
> I did, but that didn't work for me. The only thing that I did this 
> time was generate a request from the "Manage Certificates", sign the 
> request using my OpenSSL CA, and install the Server and CA Certs. Then 
> I turned on SSL in the Admin console, and restarted the server.
>
> When I followed the instructions from the link, I couldn't even get 
> FDS to start in SSL mode.
One problem may be that ldapsearch is trying to verify the hostname in 
your server cert, which is the value of the cn attribute in the leftmost 
RDN in your server cert's subject DN.  What is the subject DN of your 
server cert?  You can use certutil -L -n Server-Cert as specified in the 
Howto:SSL to print your cert.
>>>
>>> In /etc/ldap.conf, I have put in
>>> TLS_CACERT /path/to/cert
>> Is this the same /path/to/cacert.pem as below?
> Yes
>>> TLSREQCERT allow
>>> ssl on
>>> ssl start_tls
>>>
>>> If I run
>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile 
>>> /path/to/cacert.pem
>>>
>>> It looks OK
>>>
>>> Please help
>>>
>>> Thanks
>>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/61f5c9c0/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux