> Is it possible it is complaining about the CA cert? Ahem. No, after all, it did name the certificate it was complaining about. But I figured out what the problem was. Sometime this morning it became apparent that having the clocks synchronized on the AD and DS servers would make it easier to read the logs, so I used the "date" command to change the time. I still find it difficult to understand some of the command manuals, and, assuming it was necessary to include the century and year as well as the date and time in the command, I accidentally put in 2006 instead of 2007. But, you know, if the error message had said, "your certificate is not valid yet" or even, "check the date, twit", I might have resolved this more quickly. Then again, maybe not. :) Thanks again. -Glenn. ---------- Original Message ----------- From: Richard Megginson <rmeggins at redhat.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Sent: Tue, 16 Jan 2007 13:12:21 -0700 Subject: Re: Back in SSL hell again! > Glenn wrote: > > So I'm just about to finish getting Windows Sync working between RH Directory > > Server 7.1SP3 and Active Directory. The latest error message in the passsync > > log says "insufficient access", so I create an ACI that gives the replication > > manager access to everything, just to see if it will work. Nope. So I > > think, maybe I have to restart the Directory Server. And then it fails to > > restart, logging the error message: > > > > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > > server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable > > Runtime error -8181 - Peer's Certificate has expired.) > > > Is it possible it is complaining about the CA cert? > > Yeah, right. Here's a copy of the certificate: > > > > [root at ourserver alias]# ./certutil -L -d ./ -n server-cert > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > 16:43:78:57:00:00:00:00:00:0e > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > > Issuer: > > "CN=OURCA,DC=ad,DC=ourshop,DC=edu" > > Validity: > > Not Before: Tue Nov 14 22:50:17 2006 > > Not After : Thu Nov 13 22:50:17 2008 > > ... > > > > Now, I'll grant you that this little synchronization exercise FEELS like it > > has gone on for more than two years, but according to the certificate, it has > > taken barely two months so far, leaving the certificate good for another 22 > > months. Once again, the SSL error message seems to have little to do with > > reality. > > > > I just restarted the server three hours earlier, and it worked fine then. > > Can anyone suggest what I might try now? Thanks. -Glenn. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------- End of Original Message -------
