TLS trace: SSL3 alert write:fatal:unknown CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

fedora-directory-users-request at redhat.com wrote:
> Date: Fri, 02 Jun 2006 17:48:00 -0700
> From: Jeff Gamsby <JFGamsby at lbl.gov>
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>   
Geeze you guys, these messages could seriously use some trimming.
>>>>>           
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>                   
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>                     
>>>>>>>>>>> I blew away the server and installed a new one, then I used 
>>>>>>>>>>> the setupssl.sh script to setup SSL. The script completed 
>>>>>>>>>>> successfully, and the server is listening on port 636, but 
>>>>>>>>>>> I'm back to a familiar error:
>>>>>>>>>>>
>>>>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>>>>                       

Listening on port 636 with SSL means you have an ldaps:// listener. The 
ldapsearch -Z options are for LDAPv3 StartTLS, which is incompatible 
with (LDAPv2+) ldaps://. Use either ldaps:// or StartTLS, you cannot use 
both together. This is already noted in the manpages.
>>>
>> I'm not sure I understand what's going on either, but the message 
>> "Peer does not recognize and trust the CA that issued your 
>> certificate." means that ldapsearch did not verify your LDAP server 
>> certificate (Server-Cert).  This is usually due to one or both of the 
>> following:
>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN 
>> in the LDAP server cert is not the fqdn of the LDAP server host, or 
>> the client cannot resolve it.
>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the 
>> CA that issued the LDAP server certificate (Server-Cert)
>>     

No, on the client side this error can only be caused by (2), there is a 
completely different error message for (1). Also for (1), "client cannot 
resolve it" is not a consideration; as mandated by RFC2830 the hostname 
supplied by the user (on the command line) must exactly match the name 
in the cert CN (or one of the subjectAltNames). No resolution procedures 
are allowed.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux