On Tue, May 28, 2013 at 8:25 AM, Davide Fanciola <dfanciola@xxxxxxxxx> wrote: > Hi Yehuda, > > I finally managed to make it work :) Awesome! > > The certificates were correct but the trust options for the "signing_cert" > were not. > The command I used to convert the signing_cert is the following : > > # openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | > certutil -A -d /var/lib/ceph/nss/ -n signing_cert -t "P,P,P" > > As you can see I've changed the trust options from "TCu,Cu,Tuw" to "P,P,P". > > So my actual NSS db is as follow : > > # certutil -L -d /var/lib/ceph/nss/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > ca CT,C,c > signing_cert P,P,P > > It was clear to me that something was wrong with the trust options, because > the error was coming after a call to NSS_CMSSignedData_VerifySignerInfo > which mainly verify the trust options. > I'm not sure that the trust options "P,P,P" are 100% correct security-wise, > but it works after all. > > Maybe the documentation was written when libnss had this bug > https://bugzilla.mozilla.org/show_bug.cgi?id=531160. Yeah, probably. Opened documentation issue #5178 to fix docs accordingly. Thanks, Yehuda _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |