This is what I did to get ssl repl working:
1. generate a single CA certificate and use that to sign both the supplier and consumer
certificates. Each server doesn't need its own CA.
on the consumer:
[root@cnjldap01 alias]# ../shared/bin/certutil -L -d . -n "NJ CA certificate" -a
>
cnjldap01.cert.asc
#send to supplier:
scp cnjldap01.cert.asc root@cnyldap01:/opt/fedora-ds/alias/
#import it into the supplier's cert db:
[root@cnyldap01 /]# ../shared/bin/certutil -A -d . -P slapd-cnyldap01- -n "NJ CA
certificate" -t
"CT,," -a -i cnjldap01.cert.asc
That's it.
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
Alex aka Magobin wrote:
> hi,
> I used Replication HOWTO to make a replica with 2 server; after that I
> saw that replication was without encryption, so I maked my own CA
> Authority and I maked two certificate for both server...I maked request
> from Fedora Console and then I installed it from same console.
>
> Testing on second server, I tried to restart slapd, but when I tried the
> server ask correctly PIN for Internal Software Token, but then it says:
>
> 22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow:
> verify certificate failed for cert nodo2-cert of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
> Peer's Certificate issuer is not recognized.)
> [22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are valid
>
>
>
> ...what does it mean?...maybe that I have maked some mistakes about ssl?
> ...how can I resolv this problem?
> ...is it possible to come back??
>
I think you may need to add the CA cert to the cert db for nodo2
>
> thanks in advance
>
> Alex
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com