<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/14/2011 01:29 AM, s.varadha rajan wrote:
<blockquote
cite="mid:CAFEmfGyjqo+tGKsKJ5PbcOr8Vk_eDZj0Fg5+ifi8pumhVWXq-Q@mail.gmail.com"
type="cite">Hi,
<div><br>
</div>
<div>Thanks for the reply.but i have a problem with my system for
enabling ssl,then only i go for consumer and then replication
e.t.c.</div>
<div><br>
</div>
<div>my system name is <a moz-do-not-send="true"
href="http://varad.india.xxx.com">varad.india.xxx.com</a> and
i have to use "star_dot_india_xxx_cert.crt" certificate, which
is used for apache and other web related applications.so first i
need to install certificate and enable secure 389-ds that is
ldaps.then only i need to go for other system then i can proceed
replication process</div>
<div><br>
</div>
<div>In such a case, what is the solution</div>
</blockquote>
You need the CA cert - do you have the CA cert in a PEM file? If
so, you can add it using certutil -A<br>
<a class="moz-txt-link-freetext" href="http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_another_389_DS">http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_another_389_DS</a><br>
<blockquote
cite="mid:CAFEmfGyjqo+tGKsKJ5PbcOr8Vk_eDZj0Fg5+ifi8pumhVWXq-Q@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>Regards,</div>
<div>Varad<br>
<br>
<div class="gmail_quote">2011/7/13 solarflow99 <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:solarflow99@gmail.com">solarflow99@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">I had this error, and it was the CA not
being imported correctly as you mentioned. I used the
certutil and pk12util commands to import and export all the
certs:<br>
<a moz-do-not-send="true"
href="http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replication_Consumer_cert"
target="_blank">http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replication_Consumer_cert</a><br>
<br>
<br>
<br>
<div class="gmail_quote">2011/7/13 s.varadha rajan <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:rajanvaradhu@gmail.com" target="_blank">rajanvaradhu@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div>
<div class="h5">
Hi,
<div><br>
</div>
<div>I am trying to implement, two 389-ds with ssl
replication.Replication is working without ssl.
when i try to configure ssl enabled 389-ds, i am
getting the error as,</div>
<div><br>
</div>
<div>
<div>"[13/Jul/2011:17:38:37 +051800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate
failed for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8179 - Peer's
Certificate issuer is not recognized.)</div>
<div>[13/Jul/2011:17:38:37 +051800] - SSL failure:
None of the cipher are valid"</div>
</div>
<div><br>
</div>
<div><u>I did the following as per my environment;</u></div>
<div><u><br>
</u></div>
<div>1.my system name is <a moz-do-not-send="true"
href="http://varad.india.xxx.com"
target="_blank">varad.india.xxx.com</a>. we have
a certificate <a moz-do-not-send="true"
href="http://star.india.xxx.com" target="_blank">star.india.xxx.com</a>
and .pem files,which is used commonly for Apache
and other related services.so i am planning to
import that certificate to my fedora-ds system,</div>
<div><br>
</div>
<div>A).openssl pkcs12 -export -inkey
star_dot_india_xxx_key.pem -in
star_dot_india_xxx_cert.crt -out crt.p12 -nodes
-name 'Server-Cert' ==> command went fine</div>
<div><br>
</div>
<div>B).pk12util -i <location>/crt.p12 -d .
==> command went fine</div>
<div><br>
</div>
<div>C).As per the fedora doc, they specified as "<span
style="font-family: monospace; font-size: 13px;
line-height: 14px; white-space: pre-wrap;">certutil
-d /etc/dirsrv/slapd-INSTANCE -A -n "My Local
CA" -t CT,, -a -i /path/to/ca.pem".so tried this
option as ,</span></div>
<div><font face="monospace"><span
style="line-height: 14px; white-space:
pre-wrap;"><br>
</span></font></div>
<div><font face="monospace"><span
style="line-height: 14px; white-space:
pre-wrap;">
<div><br>
<font face="verdana, sans-serif"> #root@varad:/home/sslforldap#
certutil -d /etc/dirsrv/slapd-varad -A -n
"Server-Cert" -t u,u,u -a -i
star_dot_india_xxx_cert.crt</font></div>
<div><font face="verdana, sans-serif"> got an
error ==>certutil: function failed:
security library: bad database.</font></div>
<br>
<br>
<br>
<div><font face="verdana, sans-serif"> </font></div>
<div><font face="verdana, sans-serif">and then
tried as </font></div>
<div><font face="verdana, sans-serif"><br>
<br>
</font></div>
<div><font face="verdana, sans-serif">#certutil
-d /etc/dirsrv/slapd-varad -A -n
"Server-Cert" -t u,u,u -a -i
star_dot_india_xxx_cert.crt ==> went
fine</font></div>
</span></font></div>
<div><font face="monospace"><span
style="line-height: 14px; white-space:
pre-wrap;"><br>
</span></font></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif">D).Added
the relevant details in the dse.ldif and
restarted the dirsrv.but i got the above
error.</font></span></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif"><br>
</font></span></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif">E).For
your information,</font></span></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif"><br>
</font></span></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;">
<div><br>
<font face="verdana, sans-serif">root@varad:/home/sslforldap#
certutil -L -d .</font></div>
<div><font face="verdana, sans-serif"><br>
</font></div>
<div><font face="verdana, sans-serif">Certificate
Nickname
Trust Attributes</font></div>
<br>
<br>
<br>
<div><font face="verdana, sans-serif">
SSL,S/MIME,JAR/XPI</font></div>
<div><font face="verdana, sans-serif"><br>
<br>
</font></div>
<div><font face="verdana, sans-serif">XXX XXX CA
u,u,u</font></div>
</span></div>
<div><font face="monospace"><span
style="line-height: 14px; white-space:
pre-wrap;"><br>
<br>
<br>
<br>
</span></font></div>
<div><font face="monospace"><span
style="line-height: 14px; white-space:
pre-wrap;"><br>
</span></font></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif">How
can i proceed further ?</font></span></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif"><br>
</font></span></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif">Regards,</font></span></div>
<div><span style="line-height: 14px; white-space:
pre-wrap;"><font face="verdana, sans-serif">Varad</font></span></div>
<div><font face="monospace"><span
style="line-height: 14px; white-space:
pre-wrap;"><br>
<br>
</span></font></div>
<div><font face="monospace"><span
style="line-height: 14px; white-space:
pre-wrap;"><br>
</span></font></div>
<div><span style="font-family: monospace; font-size:
13px; line-height: 14px; white-space: pre-wrap;"><br>
<br>
<br>
<br>
</span></div>
<br>
</div>
</div>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org"
target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
</div>
<br>
<br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
</div>
<br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>