<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Sounds like your certificates are not setup correctly for that system, what are the results on the other 'working' machines? <div><br></div><div>I might have made a bad assumption, did you configure your CA cert to be used with openssl? (openssl.conf) That must be set otherwise you will have trust errors when using openssl s_client .</div><div><br></div><div><div><div><div>On Jul 17, 2013, at 12:18 PM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div style="font-family: Verdana,Geneva,sans-serif"><p>Hi Dan,</p><p>Yes, dirsrv does indeed start. Here is what I receive from the openssl command (the important bits):</p><div> <br class="webkit-block-placeholder"></div><p>verify error:num=19:self signed certificate in certificate chain<br>verify return:0<br>...</p><p>Verify return code: 19 (self signed certificate in certificate chain)<br><br></p><div> <br class="webkit-block-placeholder"></div><p> Kyle</p><div> <br class="webkit-block-placeholder"></div>
<div> </div><p>On 2013-07-17 12:04, Dan Lavu wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->Sorry the command is something like
<div> </div>
<div><code>$ openssl s_client -connect localhost:443</code></div>
<div><span style="font-family: monospace;"> </span></div>
<div><span style="font-family: monospace;">it's not verify… </span></div>
<div><span style="font-family: monospace;"> </span></div>
<div><span style="font-family: monospace;"><br></span>
<div>
<div>On Jul 17, 2013, at 12:03 PM, Dan Lavu <<a href="mailto:dan@lavu.net">dan@lavu.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">Kyle,<br><br>Does dirsrv start? If it does start, have you tried running 'openssl verify HOSTNAME:PORT' to validate the certificate? <br><br>Dan<br><br>On Jul 17, 2013, at 10:55 AM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:<br><br>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">Hello everyone,<br><br>I have been receiving help from richm in the #389 channel for the last few days, but haven't made much progress, so I'd like to move the conversation somewhere a little more persistent.<br><br>My issue is that after manually enabling SSL by following the instructions at <a href="http://ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled">ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled</a><br>(that is, not using the setupssl2.sh script) and installing my CA and public and private key bundle, I am receiving the following error when starting dirsrv.<br>I also receive this error if I run the setupssl2.sh script and then replace the certificates and keys generated by it with the ones below.<br><br><br>[root@ldap005 slapd-ldap005]# service dirsrv restart<br>Shutting down dirsrv:<br> ldap005... [ OK ]<br>Starting dirsrv:<br> ldap005...[17/Jul/2013:14:41:21 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert ldap005.infra.dfw of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8016 - unknown)<br> [ OK ]<br>[root@ldap005 slapd-ldap005]#<br><br><br>Here is a list of the installed certs:<br><a href="http://ca001.zhv.domain.com/">ca001.zhv.domain.com</a> CT,,<br>ldap005.infra.dfw u,u,u<br><br><br>And the installed keys:<br>< 0> rsa a25fae676b83cfeb52d1fdc671aa74a34ef4ee8c ldap005.infra.dfw<br><br><br>My versions of 389 are as follows:<br>389-ds-console-1.2.6-1.el6.noarch<br>389-ds-1.2.2-1.el6.noarch<br>389-ds-base-1.2.11.15-14.el6_4.x86_64<br>389-admin-console-1.1.8-1.el6.noarch<br>389-ds-console-doc-1.2.6-1.el6.noarch<br>389-dsgw-1.1.9-1.el6.x86_64<br>389-adminutil-1.1.15-1.el6.x86_64<br>389-ds-base-libs-1.2.11.15-14.el6_4.x86_64<br>389-console-1.1.7-1.el6.noarch<br>389-admin-1.1.29-1.el6.x86_64<br>389-admin-console-doc-1.1.8-1.el6.noarch<br><br><br>I would like to note that I have this working on another of my 389 servers, the difference being that 389-ds-base is an earlier version:<br>389-console-1.1.7-1.el6.noarch<br>389-ds-base-1.2.10.2-20.el6_3.x86_64<br>389-admin-console-1.1.8-1.el6.noarch<br>389-ds-console-doc-1.2.6-1.el6.noarch<br>389-dsgw-1.1.9-1.el6.x86_64<br>389-adminutil-1.1.15-1.el6.x86_64<br>389-ds-base-libs-1.2.10.2-20.el6_3.x86_64<br>389-admin-1.1.29-1.el6.x86_64<br>389-ds-console-1.2.6-1.el6.noarch<br>389-admin-console-doc-1.1.8-1.el6.noarch<br>389-ds-1.2.2-1.el6.noarch<br><br><br><br>Please let me know what other information you would need to help me with troubleshooting this issue.<br><br> Kyle Johnson<br><br>--<br>389 users mailing list<br>389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</blockquote>
</div>
</div>
<!-- html ignored --><br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
</div>
--<br>389 users mailing list<br>389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote></div><br></div></div></body></html>