Of course, it would help if i trusted the intermediate cert.
certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB"
certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network"
After doing this I tried an ldapsearch -H ldaps://....
ldapsearch worked with no problem.
My ldap client "Jxplorer" could not connect however. It complained with the following..
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain.
A partial success i guess.
________________________________
From: Dumbo Q <dumboq at yahoo.com>
To: Ryan Braun [ADS] <ryan.braun at ec.gc.ca>; fedora-directory-users at redhat.com
Sent: Wednesday, July 8, 2009 4:57:49 PM
Subject: Re: [389-users] Recover after installing a bad cert.
Thanks that did it.
I just can't seem to get this certificate working. Here is the most recent way that i have tried.
cat bundle.crt >> new.crt ## bundle, being the chain certificates provided by the CA
cat rhds.crt >> new.crt ## rhds being the actual cert provided by the CA
openssl verify new.crt ## turned out OK
openssl pkcs12 -export -in new.crt -inkey rhds.example.com.key -out rhds.example.com-PSSL.p12
pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d .
certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
rhds.example.com - Comodo CA Limited u,u,u
PositiveSSL CA - The USERTRUST Network ,,
UTN-USERFirst-Hardware - AddTrust AB ,,
Still the same error when i try to use this cert. Am I doing something wrong?
________________________________
From: Ryan Braun [ADS] <ryan.braun at ec.gc.ca>
To: fedora-directory-users at redhat.com
Cc: Dumbo Q <dumboq at yahoo.com>
Sent: Wednesday, July 8, 2009 2:50:10 PM
Subject: Re: [389-users] Recover after installing a bad cert.
On July 8, 2009 06:19:55 pm Dumbo Q wrote:
> I just installed a new ssl certificate using pk12util. I restarted my
> dirsrv, and picked the new cert in the dropdown menu under the encryption
> tab. I restarted dirsrv to make it take affect. When I did this, I found
> that the root certificate was not in redhats/openssls ca-bundle. I tried
> importing the intermediate certificate, and I think I just made the problem
> worse.
>
> right now im getting the following.
> SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
> rhds.example.com - Comodo CA Limited of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
> Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400]
> - SSL failure: None of the cipher are valid
>
>
> Now my directory is down completely. How can I get it to start up without
> SSL so that I can fix the problem?
Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif
then edit that file and look for
nsslapd-security: on
change to
nsslapd-security: off
save file, restart service and ssl should be turned off. Keep in mind
whatever caused the ssl config to puke in the first place is still there :)
Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090708/ca664726/attachment.html
