On 06/17/2009 02:48 PM, Dan Weintraub wrote: > Hi all, > > I've been looking into this and I first found out that your suspicions > are correct. The trust attributes on my CA certificate are incorrect. > > certutil -L shows them as "CT,," > > To fix this I tried the modify command, > > certutil -M -n cacert -t CTu,u,u -d . > > It gives no error, but unfortunately, does nothing and certutil -L > still shows me "CT,," Try CTu,Cu,Cu or CT,C,C You can verify your cert chain with a certutil -V -d <nss-dir> -n <ssl-server-nickname> -eu CVS which should return: certutil: certificate is valid or certificate is invalid: Peer's Certificate issuer is not recognized. Use certutil -O to display the certificate chain. M. > > I thought this might have been because I used openssh tools instead of > certutil, so I removed all my certificates and created a new CA with > certutil, specifying "CTu,u,u" on the command line when I created the > CA cert. I then added the CA with the Certificate Manager and did a > certutil -L only to find that it was marked "CT,," I tried to modify > this certificate with certutil -M, but it still doesn't work. > > Do I have some permissions wrong somewhere? Am I using the tools > incorrectly? Any suggestions? > > Thanks in advance, > Dan > > > > jean-No?l Chardron wrote: >> hi, >> >> Dan Weintraub a ?crit : >>> Thanks, that's exactly what I was following. Now that I've got the >>> port corrected I'm getting a certificate error despite having the >>> correct certificates setup (or so I thought...) I'll read through >>> that documentation you posted and see if I can sort it out. >>> >>> Thanks, >>> Dan >>> >>> PS >>> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, >>> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable >>> Runtime error -8172 >> >>> (Peer's certificate issuer has been marked as not trusted by the user.) >>> >> Can you post the output of the command : >> #certutil -L -d /path/of/directory/where/is/the/certificate/ >> >> The path of the directory where is the certificate has 2 files : >> key3.db and cert8.db >> >> For example, on my server the output is : >> # certutil -L -d /etc/dirsrv/slapd-aragon/ >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CNRS2-Standard CT,C,C >> aragon.dr15.cnrs.fr Cert u,u,u >> CNRS-Standard CT,C,C >> CNRS CT,C,C >> CNRS2 CT,C,C >> >> I suppose (it's a hypothesis) that your certificate doesn't have the >> tag u,u,u or something like this or the CA can't trust the certificate >> >>> John A. Sullivan III wrote: >> >>>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: >>>>> Hi all, >>>>> >>>>> I'm trying to setup replication over ssl and am running into >>>>> problems. I >>>>> first tried it unencrypted and all worked fine. I then copied over >>>>> the >>>>> consumer's CA certificate and set up replication with SSL and Simple >>>>> Authentication. It doesn't work and I now get the following errors: >>>>> >>>>> When I set it up: >>>>> supplier error log: >>>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" >>>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP >>>>> server), Netscape Portable Runtime error -5938 (Encountered end of >>>>> file.) >>>>> >>>>> these appear thereafter: >>>>> consumer access log: >>>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from >>>>> 10.1.1.100 to 10.1.1.101 >>>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 >>>>> (Protocol error) - B1 >>>>> >>>>> consumer error log: >>>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP >>>>> message (tag >>>>> 0x80, expected 0x30) >>>>> >>>>> Versions: >>>>> Supplier: >>>>> fedora-ds-1.1.2-1.fc6 >>>>> fedora-ds-dsgw-1.1.1-1.fc6 >>>>> fedora-ds-base-1.1.3-2.fc6 >>>>> fedora-ds-admin-1.1.6-1.fc6 >>>>> fedora-ds-admin-console-1.1.2-1.fc6 >>>>> fedora-ds-console-1.1.2-1.fc6 >>>>> >>>>> Consumer: >>>>> fedora-ds-admin-1.1.7-3.fc6 >>>>> fedora-ds-admin-console-1.1.3-1.fc6 >>>>> fedora-ds-base-1.2.0-2.fc6 >>>>> fedora-ds-dsgw-1.1.2-1.fc6 >>>>> fedora-ds-console-1.2.0-1.fc6 >>>>> fedora-ds-1.1.3-1.fc6 >>>>> >>>>> I'm at a loss as to how to proceed with troubleshooting and would >>>>> appreciate any suggestions. >>>>> >>>>> Thanks, >>>>> Dan Weintraub >>>> <snip> >>>> Hi, Dan. Here is a snippet from our internal documentation. I >>>> apologize >>>> that I don't have time to customize it or analyze your issue more >>>> deeply >>>> but perhaps our findings will help you in your environment. Given >>>> Rich's comment, I wonder if you were stung by the same error in >>>> documentation we noted below: >>>> >>>> Go back to the centos-idm-console on ldap1 >>>> Go to the Configuration tab, select the userRoot under the >>>> Replication >>>> object in the left panel. Left/right client and choose New >>>> Replication >>>> Agreement >>>> The name is "mycompany.com ldap1->ldap2" and the >>>> Description is >>>> "Replicates mycompany.com from ldap1 to ldap2". Click Next. >>>> Set the Consumer to ldap2.mycompany.com:389 from the drop down >>>> box (389 is correct even though we are really using 636) - >>>> Oops! >>>> That is not true despite what the documentation says. Click >>>> other and create a new entry for ldap2.mycompany.com on port >>>> 636. >>>> Enable the SSL connection. >>>> Enter cn=repuser,cn=config for the Bind As and enter the >>>> password. >>>> Click Next and then Next again. >>>> We will always keep directories in sync so click Next again. >>>> Choose Initialize Consumer Now and click Next >>>> Click Done >>>> >>>> If you need more details, e.g., about how we set up SSL, I posted most >>>> of our internal procedure a day or two ago on this mailing list in >>>> response to a post entitled "Developting a CentOS-DS setup". You can >>>> find much more detail there. >>>> >>>> Good luck - John >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
