[root at ldap alias]# ../shared/bin/certutil -L -d . -P admin-serv-ldap- server-cert u,u,u CA certificate CT,, Richard Megginson wrote: > FDS User wrote: >> Tried all combinations for the url with and without https and with >> the right port #: >> >> IP address >> ldap.test.com >> ldap >> >> Still no luck. >> >> adminserv error log: >> [Thu May 10 13:19:36 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:19:36 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:19:36 2007] [notice] Access Address filter is: * >> [Thu May 10 13:19:37 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:19:37 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:19:37 2007] [notice] Access Address filter is: * >> [Thu May 10 13:19:37 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 >> NSS/3.11.3 configured -- resuming normal operations >> [Thu May 10 13:38:18 2007] [notice] caught SIGTERM, shutting down >> [Thu May 10 13:39:10 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:39:10 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:39:10 2007] [notice] Access Address filter is: * >> [Thu May 10 13:39:11 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:39:11 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:39:11 2007] [notice] Access Address filter is: * >> [Thu May 10 13:39:11 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 >> NSS/3.11.3 configured -- resuming normal operations >> [Thu May 10 13:40:10 2007] [error] SSL Library Error: -12271 SSL >> client cannot verify your certificate > cd /opt/fedora-ds/alias > ../shared/bin/certutil -L -d . -P admin-serv-ldap- > > Do you have a CA certificate in that list? >> >> Thanks. >> >> >> Richard Megginson wrote: >>> FDS User wrote: >>>> I tried changing the permission for local.conf and restarted both >>>> admin and dir server. That didn't solve the issue. >>>> Attached is the error I get when the login fails. >>> For the console login dialog, for the admin url field, did you use >>> https://host:port/ ? >>> tail admin-serv/logs/error >>>> >>>> Thanks. >>>> >>>> Richard Megginson wrote: >>>>> FDS User wrote: >>>>>> Below is the ls and grep output. >>>>>> >>>>>> [root at ldap slapd-ldap]# ls -al /opt/fedora-ds/alias >>>>>> <snip> looks ok >>>>>> >>>>>> >>>>>> [root at ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config >>>>>> total 84 >>>>>> drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . >>>>>> drwxr-xr-x 8 root root 4096 May 9 10:32 .. >>>>>> -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf >>>>>> -rw------- 1 nobody nobody 39 May 7 18:28 admpw >>>>>> -rw------- 1 root root 4598 May 7 18:28 admserv.conf >>>>>> -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf >>>>>> -rw------- 1 root root 26784 May 7 18:28 httpd.conf >>>>>> -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf >>>>> This is the likely culprit. Shut down the admin server, then >>>>> chown nobody:nobody local.conf, then restart. >>>>>> -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf >>>>>> >>>>>> >>>>>> [root at ldap slapd-ldap]# grep NSS >>>>>> /opt/fedora-ds/admin-serv/config/console.conf >>>>>> NSSEngine on >>>>>> NSSNickname server-cert >>>>>> # The NSS security database directory that holds the >>>>>> certificates and >>>>>> NSSCertificateDatabase /opt/fedora-ds/alias >>>>>> NSSDBPrefix admin-serv-ldap- >>>>>> NSSCipherSuite >>>>>> +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 >>>>>> >>>>>> NSSVerifyClient none >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> >>>>>>> >>>>>>> FDS User wrote: >>>>>>>> Hi, >>>>>>>> I am getting "PSET failure: PSET attribute creation or local >>>>>>>> cache update failed" when I try to enable SSL for admin server >>>>>>>> using the encryption tab. >>>>>>>> I have used it in the past without issues and now for some >>>>>>>> reason I get this error after doing a re-install of fds. >>>>>>>> I used the SSL script from the fds site to generate the certs. >>>>>>>> >>>>>>>> Admin server log has this error: >>>>>>>> [error] SSL Library Error: -12271 SSL client cannot verify your >>>>>>>> certificate >>>>>>>> >>>>>>>> Any help is highly appreciated. >>>>>>> ls -al /opt/fedora-ds/alias >>>>>>> ls -al /opt/fedora-ds/admin-serv/config >>>>>>> >>>>>>> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>
