<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>So that error usually indicates that something is wrong with the cert. Have you viewed the contents of the certificate to validate the CN, etc? </div><div><br></div><div><pre dir="ltr" id="CA-68f195ca2649e6fd45f2071e9707d0b6b5472a15" lang="en"><span class="line"><span class="anchor" id="line-4-3"></span><span class="Comment"></span>openssl x509 -in <span class="ID">$DOMAIN</span>.crt.pem -noout -text</span></pre><div>Also I've seen instances where certificate db gets corrupted, so if everything pans out with the certificate contents, I'd try deleted *.db and recreating your certificate database. I've seen this occur but have been able to reproduce it consistently. When this corruption happens the manage certificates tab will not work in the idm console so if that doesn't work, I'd try recreating it. </div></div><div><br></div><div><br></div><div><br></div><div>On Jul 17, 2013, at 12:59 PM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div style="font-family: Verdana,Geneva,sans-serif"><p>Pointing -CAfile to the ca public cert returns this:</p><p> Verify return code: 0 (ok)<br><br></p><p>I have just one CA, with no intermediates.</p><div> <br class="webkit-block-placeholder"></div>
<div> </div><p>On 2013-07-17 12:45, Dan Lavu wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->Set it up and see what the output is, this should give you a clearer idea of what the problem is with the cert.
<div> </div>
<div>Out of curiosity do you have just one CA or do you have intermediates as well?</div>
<div><br>
<div>
<div>
<div>On Jul 17, 2013, at 12:35 PM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">
<div style="font-family: Verdana,Geneva,sans-serif;"><p>On the other working machines, the openssl command produces the same output.</p><p>You're correct, I didn't not configure my CA cert to be used with openssl in openssl.cnf (on either box).</p>
<div> </div>
<div> </div><p>On 2013-07-17 12:23, Dan Lavu wrote:</p>
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">Sounds like your certificates are not setup correctly for that system, what are the results on the other 'working' machines?
<div> </div>
<div>I might have made a bad assumption, did you configure your CA cert to be used with openssl? (openssl.conf) That must be set otherwise you will have trust errors when using openssl s_client .</div>
<div> </div>
<div>
<div>
<div>
<div>On Jul 17, 2013, at 12:18 PM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">
<div style="font-family: Verdana,Geneva,sans-serif;"><p>Hi Dan,</p><p>Yes, dirsrv does indeed start. Here is what I receive from the openssl command (the important bits):</p>
<div> </div><p>verify error:num=19:self signed certificate in certificate chain<br>verify return:0<br>...</p><p>Verify return code: 19 (self signed certificate in certificate chain)<br><br></p>
<div> </div><p> Kyle</p>
<div> </div>
<div> </div><p>On 2013-07-17 12:04, Dan Lavu wrote:</p>
<blockquote style="padding-left: 5px; border-left-color: rgb(16, 16, 255); border-left-width: 2px; border-left-style: solid; margin-left: 5px; position: static; z-index: auto; ">Sorry the command is something like
<div> </div>
<div><code>$ openssl s_client -connect localhost:443</code></div>
<div><span style="font-family: monospace;"> </span></div>
<div><span style="font-family: monospace;">it's not verify… </span></div>
<div><span style="font-family: monospace;"> </span></div>
<div><span style="font-family: monospace;"><br></span>
<div>
<div>On Jul 17, 2013, at 12:03 PM, Dan Lavu <<a href="mailto:dan@lavu.net">dan@lavu.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: 5px;">Kyle,<br><br>Does dirsrv start? If it does start, have you tried running 'openssl verify HOSTNAME:PORT' to validate the certificate? <br><br>Dan<br><br>On Jul 17, 2013, at 10:55 AM, Kyle Johnson <<a href="mailto:kjohnson@gnulnx.net">kjohnson@gnulnx.net</a>> wrote:<br><br>
<blockquote style="padding-left: 5px; border-left-color: rgb(16, 16, 255); border-left-width: 2px; border-left-style: solid; margin-left: 5px; position: static; z-index: auto; ">Hello everyone,<br><br>I have been receiving help from richm in the #389 channel for the last few days, but haven't made much progress, so I'd like to move the conversation somewhere a little more persistent.<br><br>My issue is that after manually enabling SSL by following the instructions at <a href="http://ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled">ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled</a><br>(that is, not using the setupssl2.sh script) and installing my CA and public and private key bundle, I am receiving the following error when starting dirsrv.<br>I also receive this error if I run the setupssl2.sh script and then replace the certificates and keys generated by it with the ones below.<br><br><br>[root@ldap005 slapd-ldap005]# service dirsrv restart<br>Shutting down dirsrv:<br> ldap005... [ OK ]<br>Starting dirsrv:<br> ldap005...[17/Jul/2013:14:41:21 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert ldap005.infra.dfw of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8016 - unknown)<br> [ OK ]<br>[root@ldap005 slapd-ldap005]#<br><br><br>Here is a list of the installed certs:<br><a href="http://ca001.zhv.domain.com/">ca001.zhv.domain.com</a> CT,,<br>ldap005.infra.dfw u,u,u<br><br><br>And the installed keys:<br>< 0> rsa a25fae676b83cfeb52d1fdc671aa74a34ef4ee8c ldap005.infra.dfw<br><br><br>My versions of 389 are as follows:<br>389-ds-console-1.2.6-1.el6.noarch<br>389-ds-1.2.2-1.el6.noarch<br>389-ds-base-1.2.11.15-14.el6_4.x86_64<br>389-admin-console-1.1.8-1.el6.noarch<br>389-ds-console-doc-1.2.6-1.el6.noarch<br>389-dsgw-1.1.9-1.el6.x86_64<br>389-adminutil-1.1.15-1.el6.x86_64<br>389-ds-base-libs-1.2.11.15-14.el6_4.x86_64<br>389-console-1.1.7-1.el6.noarch<br>389-admin-1.1.29-1.el6.x86_64<br>389-admin-console-doc-1.1.8-1.el6.noarch<br><br><br>I would like to note that I have this working on another of my 389 servers, the difference being that 389-ds-base is an earlier version:<br>389-console-1.1.7-1.el6.noarch<br>389-ds-base-1.2.10.2-20.el6_3.x86_64<br>389-admin-console-1.1.8-1.el6.noarch<br>389-ds-console-doc-1.2.6-1.el6.noarch<br>389-dsgw-1.1.9-1.el6.x86_64<br>389-adminutil-1.1.15-1.el6.x86_64<br>389-ds-base-libs-1.2.10.2-20.el6_3.x86_64<br>389-admin-1.1.29-1.el6.x86_64<br>389-ds-console-1.2.6-1.el6.noarch<br>389-admin-console-doc-1.1.8-1.el6.noarch<br>389-ds-1.2.2-1.el6.noarch<br><br><br><br>Please let me know what other information you would need to help me with troubleshooting this issue.<br><br> Kyle Johnson<br><br>--<br>389 users mailing list<br>389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</blockquote>
</div>
</div>
<br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
</div>
--<br>389 users mailing list<br>389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</div>
</div>
</div>
<br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
</div>
--<br>389 users mailing list<br>389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</div>
</div>
</div>
<!-- html ignored --><br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
</div>
--<br>389 users mailing list<br>389-<a href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a><br><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote></div><br></body></html>