Glenn wrote:
If you think that's bad, try to have a Kerberos environment where one or more clocks are out of sync, and try to interpret those error messages :PIs it possible it is complaining about the CA cert?Ahem. No, after all, it did name the certificate it was complaining about. But I figured out what the problem was. Sometime this morning it became apparent that having the clocks synchronized on the AD and DS servers would make it easier to read the logs, so I used the "date" command to change the time. I still find it difficult to understand some of the command manuals, and, assuming it was necessary to include the century and year as well as the date and time in the command, I accidentally put in 2006 instead of 2007. But, you know, if the error message had said, "your certificate is not valid yet" or even, "check the date, twit", I might have resolved this more quickly. Then again, maybe not. :) Thanks again. -Glenn.
---------- Original Message ----------- From: Richard Megginson <rmeggins@xxxxxxxxxx>To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx>Sent: Tue, 16 Jan 2007 13:12:21 -0700 Subject: Re: Back in SSL hell again!DirectoryGlenn wrote:So I'm just about to finish getting Windows Sync working between RHpasssyncServer 7.1SP3 and Active Directory. The latest error message in thereplicationlog says "insufficient access", so I create an ACI that gives thetomanager access to everything, just to see if it will work. Nope. So I think, maybe I have to restart the Directory Server. And then it failsitrestart, logging the error message:SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)Is it possible it is complaining about the CA cert?Yeah, right. Here's a copy of the certificate: [root@ourserver alias]# ./certutil -L -d ./ -n server-cert Certificate: Data: Version: 3 (0x2) Serial Number: 16:43:78:57:00:00:00:00:00:0e Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=OURCA,DC=ad,DC=ourshop,DC=edu" Validity: Not Before: Tue Nov 14 22:50:17 2006 Not After : Thu Nov 13 22:50:17 2008 ...Now, I'll grant you that this little synchronization exercise FEELS likehashas gone on for more than two years, but according to the certificate, it22taken barely two months so far, leaving the certificate good for anotherwithmonths. Once again, the SSL error message seems to have little to dothen.reality.I just restarted the server three hours earlier, and it worked fineCan anyone suggest what I might try now? Thanks. -Glenn. -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------- End of Original Message ------- -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
