Dumbo Q wrote:
Of course, it would help if i trusted the intermediate cert. certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB" certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network" After doing this I tried an ldapsearch -H ldaps://.... ldapsearch worked with no problem.My ldap client "Jxplorer" could not connect however. It complained with the following.. javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain.A partial success i guess.
Does Jxplorer have the CA cert?
------------------------------------------------------------------------ *From:* Dumbo Q <dumboq@xxxxxxxxx>*To:* Ryan Braun [ADS] <ryan.braun@xxxxxxxx>; fedora-directory-users@xxxxxxxxxx*Sent:* Wednesday, July 8, 2009 4:57:49 PM *Subject:* Re: [389-users] Recover after installing a bad cert. Thanks that did it.I just can't seem to get this certificate working. Here is the most recent way that i have tried. cat bundle.crt >> new.crt ## bundle, being the chain certificates provided by the CA cat rhds.crt >> new.crt ## rhds being the actual cert provided by the CAopenssl verify new.crt ## turned out OKopenssl pkcs12 -export -in new.crt -inkey rhds.example.com <http://rhds.example.com.ke>.key -out rhds.example.com-PSSL.p12pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d . certutil -L -d .Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPIrhds.example.com <http://rhds.example.com> - Comodo CA Limited u,u,uPositiveSSL CA - The USERTRUST Network ,, UTN-USERFirst-Hardware - AddTrust AB ,,Still the same error when i try to use this cert. Am I doing something wrong?------------------------------------------------------------------------ *From:* Ryan Braun [ADS] <ryan.braun@xxxxxxxx> *To:* fedora-directory-users@xxxxxxxxxx *Cc:* Dumbo Q <dumboq@xxxxxxxxx> *Sent:* Wednesday, July 8, 2009 2:50:10 PM *Subject:* Re: [389-users] Recover after installing a bad cert. On July 8, 2009 06:19:55 pm Dumbo Q wrote: > I just installed a new ssl certificate using pk12util. I restarted my> dirsrv, and picked the new cert in the dropdown menu under the encryption > tab. I restarted dirsrv to make it take affect. When I did this, I found > that the root certificate was not in redhats/openssls ca-bundle. I tried > importing the intermediate certificate, and I think I just made the problem> worse. > > right now im getting the following.> SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert> rhds.example.com <http://rhds.example.com> - Comodo CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -> Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400]> - SSL failure: None of the cipher are valid > >> Now my directory is down completely. How can I get it to start up without> SSL so that I can fix the problem? Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif then edit that file and look for nsslapd-security: on change to nsslapd-security: off save file, restart service and ssl should be turned off. Keep in mindwhatever caused the ssl config to puke in the first place is still there :)Ryan ------------------------------------------------------------------------ -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
