Jeff Gamsby wrote: > OK, now I have a different error. > > I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i > /etc/certs/ca-cert.pem -P slapd-server- -d . > > and > > ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 > > Now, I get this error: > > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. What OS and version are you running? RHEL3 /etc/openldap/ldap.conf does not like the TLS_CACERTDIR directive - you must use the TLS_CACERT directive with the full path and filename of the cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does it say in the fedora ds access and error log for this request? For a successful startTLS request with ldapsearch, you should see something like the following in your fedora ds access log: [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 version=3 [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 > > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a >>>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, >>>>>>> can start FDS in SSL mode, but when I run >>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>> write:fatal:unknown CA. >>>>>> Did you follow this - >>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>> I did, but that didn't work for me. The only thing that I did this >>>>> time was generate a request from the "Manage Certificates", sign >>>>> the request using my OpenSSL CA, and install the Server and CA >>>>> Certs. Then I turned on SSL in the Admin console, and restarted >>>>> the server. >>>>> >>>>> When I followed the instructions from the link, I couldn't even >>>>> get FDS to start in SSL mode. >>>> One problem may be that ldapsearch is trying to verify the hostname >>>> in your server cert, which is the value of the cn attribute in the >>>> leftmost RDN in your server cert's subject DN. What is the subject >>>> DN of your server cert? You can use certutil -L -n Server-Cert as >>>> specified in the Howto:SSL to print your cert. >>> >>> Sorry. I missed the -P option. >>> >>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA >>> host (ran on same machine) >> Hmm - try ldapsearch with the -v (or -d?) option to get some >> debugging info. >>> >>>>>>> >>>>>>> In /etc/ldap.conf, I have put in >>>>>>> TLS_CACERT /path/to/cert >>>>>> Is this the same /path/to/cacert.pem as below? >>>>> Yes >>>>>>> TLSREQCERT allow >>>>>>> ssl on >>>>>>> ssl start_tls >>>>>>> >>>>>>> If I run >>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>> -CAfile /path/to/cacert.pem >>>>>>> >>>>>>> It looks OK >>>>>>> >>>>>>> Please help >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/48b280b3/attachment.bin
