Hi, (Off list posting, please include me in replies) I'm having issues getting a freshly provisioned instance of 389 working with SSL. In my instance directory, I created a self signed CA and server cert with: certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -2 -f ./pwdfile certutil -S -n "Server-Cert" -s "cn=ammy.its.adelaide.edu.au" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -f ./pwdfile -8 localhost certutil -d . -V -n Server-Cert -u V certutil: certificate is valid Restarting nsslapd I see: [19/Sep/2014:10:04:47 +091800] - SSL failure: None of the cipher are valid [19/Sep/2014:10:04:47 +091800] - ERROR: SSL Initialization phase 2 Failed. With NO OTHER errors. Higher log levels have not helped. Here are the relevant parts of dse.ldif for my configuration. cn=config: nsslapd-security: on nsslapd-ssl-check-hostname: off nsslapd-validate-cert: warn dn: cn=encryption,cn=config nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: on creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager This was from the steps at http://directory.fedoraproject.org/wiki/Howto:SSL None of this configuration seems unreasonable. I would like to know if there are ways to improve my debug output around this matter. Is there an NSS environment variable I can use to help with this for example?
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
