idm-console does not accept cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2009-01-17 at 19:59 -0500, John A. Sullivan III wrote:
> Hello, all.  We are working on implementing SSL on our directory server.
> Our test environment is using Centos using console framework 1.1.1 and
> ds centos-ds-8.0.0-1.4.el5.centos.4.  When we attempt to login to
> centos-idm-console, we receive an error that the certificate this server
> presents is either untrusted or unknown.  When we view the cert, the
> note under details says "Untrusted issuer".  However, if we look in
> Manage Certificates for the Administration Server (I assume the console
> is logging into the Administration Server but the same is true for the
> Directory Server), we see the CA cert as trusted and see the certificate
> chain.  Everything looks correct.  Why is the console not trusting the
> CA cert? Is it looking for it someplace else? If so, where?
> 
> More details:
> I'm assuming the problem is the CA cert.  The admin server cert details
> are:
> cn=ldap01admin.ssiservices.biz
> There are DNS entries in subjAltName of:
> ldap01.ssiservices.biz
> ldap01
> ldap01admin
> and there is an IP address entry.
> 
> I get the same problem connecting to
> https://ldap01admin.ssiservices.biz:9830 as
> https://ldap01.ssiservices.biz:9830
> 
On a lark, I took a look in my home directory and, sure enough, found
a .centos-idm-console directory.  I entered it and issue the following
command to import the CA cert into the individual user's database:

certutil -A -d . -n "CA certificate" -t "CT,," -a
-i /etc/dirsrv/admin-serv/SSICA.pem

It all works now.  Perhaps I overlooked it but I did not see that step
in the documentation.

I've also noticed that the manage certificate dialogs reverse the OU and
O fields on the details page.

Finally, it appears idm-console can use the entries in the subjAltName,
i.e., I can login using both ldap01 and ldap01admin for the host but it
does not like the IP field, i.e., I cannot login to
https://10.1.1.1:9830 without generating a cert warning - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux