Re: Error when starting dirsrv after enabling SSL and installing keys and certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pointing -CAfile to the ca public cert returns this:

    Verify return code: 0 (ok)

I have just one CA, with no intermediates.

 

 

On 2013-07-17 12:45, Dan Lavu wrote:

Set it up and see what the output is, this should give you a clearer idea of what the problem is with the cert. 
 
Out of curiosity do you have just one CA or do you have intermediates as well?

On Jul 17, 2013, at 12:35 PM, Kyle Johnson <kjohnson@xxxxxxxxxx> wrote:

On the other working machines, the openssl command produces the same output.

You're correct, I didn't not configure my CA cert to be used with openssl in openssl.cnf (on either box).

 
 

On 2013-07-17 12:23, Dan Lavu wrote:

Sounds like your certificates are not setup correctly for that system, what are the results on the other 'working' machines? 
 
I might have made a bad assumption, did you configure your CA cert to be used with openssl? (openssl.conf) That must be set otherwise you will have trust errors when using openssl s_client .
 
On Jul 17, 2013, at 12:18 PM, Kyle Johnson <kjohnson@xxxxxxxxxx> wrote:

Hi Dan,

Yes, dirsrv does indeed start.  Here is what I receive from the openssl command (the important bits):

 

verify error:num=19:self signed certificate in certificate chain
verify return:0
...

Verify return code: 19 (self signed certificate in certificate chain)

 

    Kyle

 
 

On 2013-07-17 12:04, Dan Lavu wrote:

Sorry the command is something like 
 
$ openssl s_client -connect localhost:443
 
it's not verify… 
 

On Jul 17, 2013, at 12:03 PM, Dan Lavu <dan@xxxxxxxx> wrote:

Kyle,

Does dirsrv start? If it does start, have you tried running 'openssl verify HOSTNAME:PORT' to validate the certificate?

Dan

On Jul 17, 2013, at 10:55 AM, Kyle Johnson <kjohnson@xxxxxxxxxx> wrote:

Hello everyone,

I have been receiving help from richm in the #389 channel for the last few days, but haven't made much progress, so I'd like to move the conversation somewhere a little more persistent.

My issue is that after manually enabling SSL by following the instructions at               ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled
(that is, not using the setupssl2.sh script) and installing my CA and public and private key bundle, I am receiving the following error when starting dirsrv.
I also receive this error if I run the setupssl2.sh script and then replace the certificates and keys generated by it with the ones below.


[root@ldap005 slapd-ldap005]# service dirsrv restart
Shutting down dirsrv:
  ldap005...                                             [  OK  ]
Starting dirsrv:
  ldap005...[17/Jul/2013:14:41:21 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert ldap005.infra.dfw of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8016 - unknown)
                                                         [  OK  ]
[root@ldap005 slapd-ldap005]#


Here is a list of the installed certs:
ca001.zhv.domain.com                                  CT,,
ldap005.infra.dfw                                            u,u,u


And the installed keys:
< 0> rsa      a25fae676b83cfeb52d1fdc671aa74a34ef4ee8c   ldap005.infra.dfw


My versions of 389 are as follows:
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-ds-base-1.2.11.15-14.el6_4.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-adminutil-1.1.15-1.el6.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-1.1.29-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch


I would like to note that I have this working on another of my 389 servers, the difference being that 389-ds-base is an earlier version:
389-console-1.1.7-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-adminutil-1.1.15-1.el6.x86_64
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-admin-1.1.29-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-1.2.2-1.el6.noarch



Please let me know what other information you would need to help me with troubleshooting this issue.

  Kyle Johnson

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux