Peer does not recognize and trust the CA that issued your certificate.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

To all,

I am having problems configuring TLS on FDS.  I have followed the
following tutorials for setting up keys.  I have tried both openssl and
certutil without any luck.  I have TLS working on openldap, and I have
to admit it seemed easier than FDS.  

I have been using the following document:

http://directory.fedoraproject.org/wiki/Howto:SSL

When I connect my solaris client, i see error log messages in FDS:

PR_Recv for connection 71 returns -12195 (Peer does not recognize and
trust the CA that issued your certificate.)

My fedora directory server is located on a server named utility.xyz.org

My client which is solaris 10 is located at test.xyz.org.

I have been creating the certificate using the following commands:  



1. open directory 
  cd serverRoot/alias

2. Create password file
vi pwdfile.txt

3. Create noise file
vi noise.txt

4. Create databases
serverRoot/shared/bin/certutil -N -d . -f pwdfile.txt

5.  Generate encryption key
/serverRoot/shared/bin/certutil -G -d . -z noise.txt -f 
pwdfile.txt

6.  Generate self signed certificate
/serverRoot/shared/bin/certutil -S -n "CA certificate" -s 
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f 
pwdfile.txt

7. Generate server certificate
/serverRoot/shared/bin/certutil -S -n "Server-Cert" -s 
"cn=utility.xyz.org" -c "CA certificate" -t "u,u,u" -m 1001 -v 
120 -d . -z noise.txt -f pwdfile.txt

8. Copy the key3.db and cert8.db you created to the default databases created at Directory Server installation:
mv key3.db slapd-server-key3.db
mv cert8.db slapd-server-cert8.db
ln -s slapd-server-key3.db key3.db

9. Run pki tool to convert cert database to pkcs12 format
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n 
Server-Cert

So at this point, under the server tab in FDS Console, i can can see ca-certificate.  I can see the server-cert.  They all appear to be normal.  I have enabled SSL for this server.  
I have selected the Server-Cert.  I have allowed client authentication.  I have turned off hostname checking against the certificate for outbound SSL connections.

On solaris 10 i have successfully configured authentication to LDAP without TLS.  I enable TLS and import the cacert.asc.  

certutil -N -d /var/ldap
certutil -A -n CAcert -d /var/ldap -t "TCu,Cu,Tuw" \
     -i cacert.asc
certutil -L -d /var/ldap

Some other things I have done is to use NGREP to see if there is communication on port 389 from the client to the server.  I have also looked at the Solaris Logs.  I hate how Solaris logs nothing.

The key shows up in the database.  But the client can not negotiate a tls:simple connection.  Any ideas what I am doing wrong here.  

Randall
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux