Re: TLS trace: SSL3 alert write:fatal:unknown CA

[Jeff Gamsby <JFGamsby@xxxxxxx>]

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
> > Jeff Gamsby
> > Center for X-Ray Optics
> > Lawrence Berkeley National Laboratory
> > (510) 486-7783
> >
> >
> >
> > Richard Megginson wrote:
> > > Jeff Gamsby wrote:
> > > > I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
> > > > OpenSSL CA, I have installed the Server Cert and the CA Cert, can 
> > > > start FDS in SSL mode, but when I run
> > > > ldapsearch -x -ZZ  I get TLS trace: SSL3 alert write:fatal:unknown CA.
> > > Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL
> > I did, but that didn't work for me. The only thing that I did this 
> > time was generate a request from the "Manage Certificates", sign the 
> > request using my OpenSSL CA, and install the Server and CA Certs. 
> > Then I turned on SSL in the Admin console, and restarted the server.
> >
> > When I followed the instructions from the link, I couldn't even get 
> > FDS to start in SSL mode.
> One problem may be that ldapsearch is trying to verify the hostname in 
> your server cert, which is the value of the cn attribute in the 
> leftmost RDN in your server cert's subject DN.  What is the subject DN 
> of your server cert?  You can use certutil -L -n Server-Cert as 
> specified in the Howto:SSL to print your cert.

Running cd /opt/fedora-ds/alias ; ../shared/bin/certutil -L -d . -n 
"server-cert" returns:
certutil-bin: Could not find: server-cert
: security library: bad database.

I can see the Subject DN in "Manage Certificates" --> Server Certs --> 
Detail 

It's the FQDN of the FDS server ( and the OpenSSL CA )


> > > > In /etc/ldap.conf, I have put in
> > > > TLS_CACERT /path/to/cert
> > > Is this the same /path/to/cacert.pem as below?
> > Yes
> > > > TLSREQCERT allow
> > > > ssl on
> > > > ssl start_tls
> > > >
> > > > If I run
> > > > openssl s_client -connect localhost:636 -showcerts -state -CAfile 
> > > > /path/to/cacert.pem
> > > >
> > > > It looks OK
> > > >
> > > > Please help
> > > >
> > > > Thanks
> > > ------------------------------------------------------------------------ 
> > >
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >   
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users