I believe we encountered this problem, too, and found we needed to import the CA cert into the nss database for the user running centos-idm-console. The details are in that long, long, post - John On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote: > Thanks Dave - that worked. > > I am still some problem with the certificates though. > > If it I try this in the directory where the certificates are: > > openssl s_client -connect localhost:636 -CAfile filename > > I get a listing of the certificates without errors. > > If I try: > > ldapsearch -H ldaps://localhost:636 > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > If I start the console using: > > centos-idm-console -a https://127.0.0.1:9830 > > I have to "Accept" the certificate each time. > > It looks like there may be some problem with the certificate or some > setting in DS that still needs to be switched on. > > What do you think? > > Thanks again for all of your help! > > > On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan > <david.donnan at thalesgroup.com> wrote: > Hello. I think I understand the problem. > > I copied the CA cert locally to /tmp/CAcert.txt > > I then ran 'system-config-authentication' and used a URL like > the following (where it says 'Download CA Certificate'): > > file:///tmp/CAcert.txt > > It's a lazy man's approach but it worked. > > Cdlt, Dave > -------- > > > > And John A. Sullivan III wrote: > > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote: > > > > > So my next hurdle I am tackling SSL certificates. I produced > > > self-signed certificates and have installed them in through the > > > Management Console. I can run the Management Console using a secure > > > connection. > > > > > > Linux uses DS to authenticate (configured using System > > > > Administration > Authentication and enableing LDAP support). If I try > > > to "Use TLS to encrypt connection" I can't program a URL that will let > > > me download the CA Certificate successfully. I hope that all made > > > sence. > > > > > > Am I missing something? Do I need this? > > > > > <snip> > > > > Sorry, I don't quite follow. I know it was a difficult to follow post > > but I did post how we set up SSL communications including the client > > side setup. We simply copied the CA cert to the clients (servers using > > LDAP for authentication) via scp - John > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
