[389-users] Recover after installing a bad cert.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks that did it.

I just can't seem to get this certificate working.  Here is the most recent way that i have tried.
cat bundle.crt >> new.crt    ## bundle, being the chain certificates provided by the CA
cat rhds.crt >> new.crt    ## rhds being the actual cert provided by the CA
openssl verify new.crt   ## turned out OK

openssl pkcs12 -export -in new.crt -inkey rhds.example.com.key  -out rhds.example.com-PSSL.p12

pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d .
certutil -L -d .
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI


rhds.example.com - Comodo CA Limited                  u,u,u
PositiveSSL CA - The USERTRUST Network                       ,,
UTN-USERFirst-Hardware - AddTrust AB                         ,,


Still the same error when i try to use this cert.  Am I doing something wrong?






________________________________
From: Ryan Braun [ADS] <ryan.braun at ec.gc.ca>
To: fedora-directory-users at redhat.com
Cc: Dumbo Q <dumboq at yahoo.com>
Sent: Wednesday, July 8, 2009 2:50:10 PM
Subject: Re: [389-users] Recover after installing a bad cert.

On July 8, 2009 06:19:55 pm Dumbo Q wrote:
> I just installed a new ssl certificate using pk12util.  I restarted my
> dirsrv, and picked the new cert in the dropdown menu under the encryption
> tab.  I restarted dirsrv to make it take affect.  When I did this, I found
> that the root certificate was not in redhats/openssls ca-bundle.  I tried
> importing the intermediate certificate, and I think I just made the problem
> worse.
>
> right now im getting the following.
>  SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
> rhds.example.com - Comodo CA Limited of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
> Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400]
> - SSL failure: None of the cipher are valid
>
>
> Now my directory is down completely.  How can I get it to start up without
> SSL so that I can fix the problem?

Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif

then edit that file and look for

nsslapd-security: on

change to

nsslapd-security: off

save file,  restart service and ssl should be turned off.  Keep in mind 
whatever caused the ssl config to puke in the first place is still there :)

Ryan



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090708/bcc9ec8c/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux