Re: Create 389 directory server secure connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2016-04-12 at 01:32 +0000, xinhuan zheng wrote:
> Hello Mr. Brown,
> 
> 
> TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)'
> certPrefix='' keyPrefix='' flags=readOnly
> TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11
> error.
> TLS: certificate [CN=CAcert] is not valid - error -8172:Peer's certificate
> issuer has been marked as not trusted by the user..
> TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
> TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked
> as not trusted by the user..
> 
> [11/Apr/2016:21:14:18 -0400] conn=28 fd=64 slot=64 SSL connection from
> 192.168.13.26 to 192.168.13.26
> [11/Apr/2016:21:14:18 -0400] conn=28 op=-1 fd=64 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> 
> 
> I think I'll need to delete all certificates then re-create them all from
> scratch. One thing I am not sure is the certificate flags, in setupssl2.sh. For
> "CA certificate" the flag is "CT,,", while for server certificate, it is
> "u,u,u", is it correct?
> 

The issue is that you do not have your CA cert in /etc/openldap/certs.

I helped with this same issue in the subject titled:

[389-users] Re: admin and Directory Manager accounts cannot log into 389-console


The answer I gave there:


So you should take the current CA cert from the slapd instance:

certutil -L -d /etc/dirsrv/slapd-E2WAN/ -n wsf-LabCA.lab.aero.org -a >
/etc/openldap/cacerts/wsf-LabCA.lab.aero.org.pem

Then you can make these valid for openldap to use:

cd /etc/openldap/cacerts
cacertdir_rehash

This will recreate the hash -> cert symlinks.

From there, re-run your ldap search command:

 ldapsearch -d 5 -x -L -b 'dc=lab,dc=aero,dc=org'



You will need to adjust these commands to match your instances, the CA certs, and
your openldap/certs location. Otherwise, that should fix the issue.


-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux