Glenn wrote: >> Is it possible it is complaining about the CA cert? >> > > Ahem. No, after all, it did name the certificate it was complaining about. > But I figured out what the problem was. Sometime this morning it became > apparent that having the clocks synchronized on the AD and DS servers would > make it easier to read the logs, so I used the "date" command to change the > time. I still find it difficult to understand some of the command manuals, > and, assuming it was necessary to include the century and year as well as the > date and time in the command, I accidentally put in 2006 instead of 2007. > But, you know, if the error message had said, "your certificate is not valid > yet" or even, "check the date, twit", I might have resolved this more > quickly. Then again, maybe not. :) Thanks again. -Glenn. > If you think that's bad, try to have a Kerberos environment where one or more clocks are out of sync, and try to interpret those error messages :P > ---------- Original Message ----------- > From: Richard Megginson <rmeggins at redhat.com> > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users at redhat.com> > Sent: Tue, 16 Jan 2007 13:12:21 -0700 > Subject: Re: Back in SSL hell again! > > >> Glenn wrote: >> >>> So I'm just about to finish getting Windows Sync working between RH >>> > Directory > >>> Server 7.1SP3 and Active Directory. The latest error message in the >>> > passsync > >>> log says "insufficient access", so I create an ACI that gives the >>> > replication > >>> manager access to everything, just to see if it will work. Nope. So I >>> think, maybe I have to restart the Directory Server. And then it fails >>> > to > >>> restart, logging the error message: >>> >>> SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert >>> server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable >>> Runtime error -8181 - Peer's Certificate has expired.) >>> >>> >> Is it possible it is complaining about the CA cert? >> >>> Yeah, right. Here's a copy of the certificate: >>> >>> [root at ourserver alias]# ./certutil -L -d ./ -n server-cert >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> Serial Number: >>> 16:43:78:57:00:00:00:00:00:0e >>> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption >>> Issuer: >>> "CN=OURCA,DC=ad,DC=ourshop,DC=edu" >>> Validity: >>> Not Before: Tue Nov 14 22:50:17 2006 >>> Not After : Thu Nov 13 22:50:17 2008 >>> ... >>> >>> Now, I'll grant you that this little synchronization exercise FEELS like >>> > it > >>> has gone on for more than two years, but according to the certificate, it >>> > has > >>> taken barely two months so far, leaving the certificate good for another >>> > 22 > >>> months. Once again, the SSL error message seems to have little to do >>> > with > >>> reality. >>> >>> I just restarted the server three hours earlier, and it worked fine >>> > then. > >>> Can anyone suggest what I might try now? Thanks. -Glenn. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > ------- End of Original Message ------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070116/85515d48/attachment.bin
