On 09/23/2011 02:53 PM, Orion Poplawski wrote: > On 09/23/2011 01:44 PM, Rich Megginson wrote: >> On 09/23/2011 01:24 PM, Orion Poplawski wrote: >>> I'm trying to setup MMR with another office site. We're trying to >>> connect >>> over SSL, but my server gives the error: >>> >>> [23/Sep/2011:12:00:56 -0600] slapi_ldap_bind - Error: could not send >>> bind >>> request for id [cn=Replication Manager,cn=config] mech [SIMPLE]: >>> error 81 >>> (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not >>> recognized.) 11 (Resource temporarily unavailable) >>> >>> I've added what I believe are the proper CA certs (it is a chain of >>> 3) for the >>> remote server to my directory server via the 389-console and manage >>> certificates. > >> Did it have 3 in a single file, or 3 different files? > > 3 in a single file. I noticed that certutil and the console only > seemed to import the first one so I also imported the other two > individually. > >>> However, I noticed that when I use certutil on the server to >>> list the certificates, I don't see them: >>> >>> # certutil -d /etc/dirsrv/slapd-cora/ -L >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> CA certificate CT,, >>> server-cert u,u,u >>> >>> I would have thought they would be stored in the same place. >> They should be. >>> If not, where >>> are the one listed in the console stored? > >> Good question. > >>> Does it matter that they aren't >>> showing up with certutil? > >> Yes. > > That's what I thought so I used certutil as well. The console then > showed those entries with the names I gave them with certutil. So they are showing up in the console but not certutil? Any difference between certutil -d /etc/dirsrv/slapd-hostname -L and certutil -d /etc/dirsrv/admin-serv -L ? That is, perhaps they were added to the admin server but not the directory server? > >> Are these chained to a well-known root CA? If so, you can add those >> to the >> directory server CA certs list: >> http://directory.fedoraproject.org/wiki/Howto:SSL#Viewing_the_list_of_built-in_CA_certs >> > > The top in the bundle is www.valicert.com, for which I haven't had > trouble with for browsers and the like. I'm not having any luck with > linking in the library and seeing the root CAs. so if you link the library, and then do certutil -d /etc/dirsrv/slapd-hostname -L you don't see any of those CA certs? Try stopping the directory server before using certutil. > >>> Anything else I can do to debug the SSL connection? >> It may just be that if there is more than one CA cert in the file >> only the >> first or last is added. > > Yeah, I noticed that. > > The other fun thing is that it is a wildcard cert, but I'm thinking > that it would give some kind of hostname not matching error if that > was an issue. Maybe I'm wrong. > You should get a different error if there is a problem with the wildcard. I think the problem is the certutil oddness. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
