Re: admin and Directory Manager accounts cannot log into 389-console

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> 
> ///////////
> As you suggested, I looked into the /var/log/dirsrv/slapd-E2WAN/errors file, I
> decided to purposely restart the whole server and at the very bottom, I found
> the following:
> [05/Apr/2016:15:43:01 -0400] - Information: Non-Secure Port Disabled
> [05/Apr/2016:15:43:01 -0400] - SSL alert: CERT_VerifyCertificateNow: verify
> certificate failed for cert wsf-LabLDAP.crt of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's
> Certificate has expired.)
> [05/Apr/2016:15:43:01 -0400] - 389-Directory/1.2.11.15 B2014.314.1342 starting
> up
> [05/Apr/2016:15:43:02 -0400] - slapd started.  Listening on All Interfaces port
> 636 for LDAPS requests
> 
> What draws my attention is the second line of output, SSL alert:
> CERT_VerifyCertificateNow etc... etc... etc...  I would like to update the
> certificate, because I did generate a new CA-signed certificate with the same
> name wsf-LabLDAP.crt; and I did copy it into the same folder that the original
> 'expired' certificate was stored in.

Do you have the CA certificate in your /etc/dirsrv/slapd-<instance>/ nssdb? You
should be able to see it with certutil, and the trust flags CT. Try:

certutil -L -d /etc/dirsrv/slapd-<instance>/



Do you have a ca referenced in /etc/openldap/ldap.conf as well? That ca location
will need the CA certificate too. 

What distro and version are you running (IE RHEL7)

I think this is an SSL issue at this point, not a password one. The password
parts all looked fine to me. 

> 
> 
> [05/Apr/2016:15:46:52 -0400] conn=8 fd=64 slot=64 SSL connection from
> 192.168.2.243 to 192.168.2.243
> [05/Apr/2016:15:46:52 -0400] conn=8 op=-1 fd=64 closed - SSL peer cannot verify
> your certificate.
> 
> 
> 
> I hope I provided proper and full details for your questions.  I don't mind
> sharing clear text passwords, the real system is not reachable from the
> internet, and I am having this problem also in my virtual lab (where the data
> from above is copy/pasted).

I don't think we'll need these. 



-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux