Hello Mr. Brown,
the problem is still not resolved.
I ran, as you suggested:
root@wsf-LabLDAP:/etc/openldap/cacerts> certutil -L -d /etc/dirsrv/slapd-E2WAN/ -n wsf-LabCA.lab.aero.org -a > wsf-LabCA.lab.aero.org.pem
Then I ran the cacertdir_hash command (not realizing I needed to provide a directory, I have never heard of the command), in the following manner:
root@wsf-LabLDAP:/etc/openldap/cacerts> cacertdir_rehash /etc/openldap/cacerts/
I confirmed the link is in place:
root@wsf-LabLDAP:/etc/openldap/cacerts> ls -l
total 8
lrwxrwxrwx. 1 root root 25 Apr 7 07:04 415ee41f.0 -> authconfig_downloaded.pem
lrwxrwxrwx. 1 root root 26 Apr 7 07:04 415ee41f.1 -> wsf-LabCA.lab.aero.org.pem
-rw-r--r--. 1 root root 1501 Apr 5 16:54 authconfig_downloaded.pem
-rw-r--r--. 1 root root 1523 Apr 7 07:03 wsf-LabCA.lab.aero.org.pem
and Re-executed the ldapsearch command from before:
root@wsf-LabLDAP:/etc/openldap/cacerts> ldapsearch -d 5 -x -L -b 'dc=lab,dc=aero,dc=org'
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP wsf-LabLDAP.lab.aero.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.2.243:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: loaded CA certificate file /etc/openldap/cacerts/415ee41f.0 from CA certificate directory /etc/openldap/cacerts.
TLS: skipping 'authconfig_downloaded.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'wsf-LabCA.lab.aero.org.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: loaded CA certificate file /etc/openldap/cacerts/415ee41f.1 from CA certificate directory /etc/openldap/cacerts.
TLS: certificate [CN=wsf-LabLDAP.lab.aero.org,OU=Aerospace,O=Aerospace,L=Chantilly,ST=Virginia,C=US] is not valid - error -8181:Peer's Certificate has expired..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8157
TLS: can't connect: TLS error -8157:Certificate extension not found..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
My CA cert is not expired, but my wsf-LabLDAP certificate WAS expired. I renewed the certificate (using the original CSR for wsf-LabLDAP) and I did copy it over to the
wsf-LabLDAP server into the same place as the original .crt file; which is /etc/pki/CA.
root@wsf-LabLDAP:/etc/pki/CA/certs> ls -l
total 20
-rw-r--r--. 1 root root 1501 Mar 24 2014 wsf-LabCA.crt
-rw-r--r--. 1 root root 4693 Apr 1 13:40 wsf-LabLDAP-AdminServer.crt
-rw-r--r--. 1 root root 4694 Apr 1 13:40 wsf-LabLDAP.crt
What I don't know how to do is get (is it called the?) certdb file for 389-ds updated with the new certificates you see listed above. Considering when I installed them in the first place I use the 389-console to make those exact updates.
If RedHat/CentOS uses /etc/openldap/cacerts as the location to store the authconfig-gtk downloaded file from the CA it was pointed at, how does it get it into the appropriate database? automatically?
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
