<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-family: Verdana,Geneva,sans-serif'>
<p>Pointing -CAfile to the ca public cert returns this:</p>
<p> Verify return code: 0 (ok)<br /><br /></p>
<p>I have just one CA, with no intermediates.</p>
<p> </p>
<div> </div>
<p>On 2013-07-17 12:45, Dan Lavu wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->Set it up and see what the output is, this should give you a clearer idea of what the problem is with the cert.
<div> </div>
<div>Out of curiosity do you have just one CA or do you have intermediates as well?</div>
<div><br />
<div>
<div>
<div>On Jul 17, 2013, at 12:35 PM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:</div>
<br class="Apple-interchange-newline" />
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">
<div style="font-family: Verdana,Geneva,sans-serif;">
<p>On the other working machines, the openssl command produces the same output.</p>
<p>You're correct, I didn't not configure my CA cert to be used with openssl in openssl.cnf (on either box).</p>
<div> </div>
<div> </div>
<p>On 2013-07-17 12:23, Dan Lavu wrote:</p>
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">Sounds like your certificates are not setup correctly for that system, what are the results on the other 'working' machines?
<div> </div>
<div>I might have made a bad assumption, did you configure your CA cert to be used with openssl? (openssl.conf) That must be set otherwise you will have trust errors when using openssl s_client .</div>
<div> </div>
<div>
<div>
<div>
<div>On Jul 17, 2013, at 12:18 PM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:</div>
<br class="Apple-interchange-newline" />
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">
<div style="font-family: Verdana,Geneva,sans-serif;">
<p>Hi Dan,</p>
<p>Yes, dirsrv does indeed start. Here is what I receive from the openssl command (the important bits):</p>
<div> </div>
<p>verify error:num=19:self signed certificate in certificate chain<br />verify return:0<br />...</p>
<p>Verify return code: 19 (self signed certificate in certificate chain)<br /><br /></p>
<div> </div>
<p> Kyle</p>
<div> </div>
<div> </div>
<p>On 2013-07-17 12:04, Dan Lavu wrote:</p>
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">Sorry the command is something like
<div> </div>
<div><code>$ openssl s_client -connect localhost:443</code></div>
<div><span style="font-family: monospace;"> </span></div>
<div><span style="font-family: monospace;">it's not verify… </span></div>
<div><span style="font-family: monospace;"> </span></div>
<div><span style="font-family: monospace;"><br /></span>
<div>
<div>On Jul 17, 2013, at 12:03 PM, Dan Lavu <<a href="mailto:dan@lavu.net">dan@lavu.net</a>> wrote:</div>
<br class="Apple-interchange-newline" />
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">Kyle,<br /><br />Does dirsrv start? If it does start, have you tried running 'openssl verify HOSTNAME:PORT' to validate the certificate? <br /><br />Dan<br /><br />On Jul 17, 2013, at 10:55 AM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:<br /><br />
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">Hello everyone,<br /><br />I have been receiving help from richm in the #389 channel for the last few days, but haven't made much progress, so I'd like to move the conversation somewhere a little more persistent.<br /><br />My issue is that after manually enabling SSL by following the instructions at <a href="http://ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled">ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled</a><br />(that is, not using the setupssl2.sh script) and installing my CA and public and private key bundle, I am receiving the following error when starting dirsrv.<br />I also receive this error if I run the setupssl2.sh script and then replace the certificates and keys generated by it with the ones below.<br /><br /><br />[root@ldap005 slapd-ldap005]# service dirsrv restart<br />Shutting down dirsrv:<br /> ldap005... [ OK ]<br />Starting dirsrv:<br /> ldap005...[17/Jul/2013:14:41:21 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert ldap005.infra.dfw of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8016 - unknown)<br /> [ OK ]<br />[root@ldap005 slapd-ldap005]#<br /><br /><br />Here is a list of the installed certs:<br /><a href="http://ca001.zhv.domain.com/">ca001.zhv.domain.com</a> CT,,<br />ldap005.infra.dfw u,u,u<br /><br /><br />And the installed keys:<br />< 0> rsa a25fae676b83cfeb52d1fdc671aa74a34ef4ee8c ldap005.infra.dfw<br /><br /><br />My versions of 389 are as follows:<br />389-ds-console-1.2.6-1.el6.noarch<br />389-ds-1.2.2-1.el6.noarch<br />389-ds-base-1.2.11.15-14.el6_4.x86_64<br />389-admin-console-1.1.8-1.el6.noarch<br />389-ds-console-doc-1.2.6-1.el6.noarch<br />389-dsgw-1.1.9-1.el6.x86_64<br />389-adminutil-1.1.15-1.el6.x86_64<br />389-ds-base-libs-1.2.11.15-14.el6_4.x86_64<br />389-console-1.1.7-1.el6.noarch<br />389-admin-1.1.29-1.el6.x86_64<br />389-admin-console-doc-1.1.8-1.el6.noarch<br /><br /><br />I would like to note that I have this working on another of my 389 servers, the difference being that 389-ds-base is an earlier version:<br />389-console-1.1.7-1.el6.noarch<br />389-ds-base-1.2.10.2-20.el6_3.x86_64<br />389-admin-console-1.1.8-1.el6.noarch<br />389-ds-console-doc-1.2.6-1.el6.noarch<br />389-dsgw-1.1.9-1.el6.x86_64<br />389-adminutil-1.1.15-1.el6.x86_64<br />389-ds-base-libs-1.2.10.2-20.el6_3.x86_64<br />389-admin-1.1.29-1.el6.x86_64<br />389-ds-console-1.2.6-1.el6.noarch<br />389-admin-console-doc-1.1.8-1.el6.noarch<br />389-ds-1.2.2-1.el6.noarch<br /><br /><br /><br />Please let me know what other information you would need to help me with troubleshooting this issue.<br /><br /> Kyle Johnson<br /><br />--<br />389 users mailing list<br />389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br /><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</blockquote>
</div>
</div>
<br />
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
</div>
--<br />389 users mailing list<br />389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br /><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</div>
</div>
</div>
<br />
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
</div>
--<br />389 users mailing list<br />389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br /><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</div>
</div>
</div>
<!-- html ignored --><br />
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
</body></html>