On 09/23/2011 01:44 PM, Rich Megginson wrote:
On 09/23/2011 01:24 PM, Orion Poplawski wrote:
> I'm trying to setup MMR with another office site. We're trying to connect
> over SSL, but my server gives the error:
>
> [23/Sep/2011:12:00:56 -0600] slapi_ldap_bind - Error: could not send bind
> request for id [cn=Replication Manager,cn=config] mech [SIMPLE]: error 81
> (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not
> recognized.) 11 (Resource temporarily unavailable)
>
> I've added what I believe are the proper CA certs (it is a chain of 3) for the
> remote server to my directory server via the 389-console and manage
> certificates.
Did it have 3 in a single file, or 3 different files?
3 in a single file. I noticed that certutil and the console only seemed to
import the first one so I also imported the other two individually.
> However, I noticed that when I use certutil on the server to
> list the certificates, I don't see them:
>
> # certutil -d /etc/dirsrv/slapd-cora/ -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> CA certificate CT,,
> server-cert u,u,u
>
> I would have thought they would be stored in the same place.
They should be.
> If not, where
> are the one listed in the console stored?
Good question.
> Does it matter that they aren't
> showing up with certutil?
Yes.
That's what I thought so I used certutil as well. The console then showed
those entries with the names I gave them with certutil.
Are these chained to a well-known root CA? If so, you can add those
to the
directory server CA certs list:
http://directory.fedoraproject.org/wiki/Howto:SSL#Viewing_the_list_of_bui...
The top in the bundle is
www.valicert.com, for which I haven't had trouble
with for browsers and the like. I'm not having any luck with linking in the
library and seeing the root CAs.
> Anything else I can do to debug the SSL connection?
It may just be that if there is more than one CA cert in the file only the
first or last is added.
Yeah, I noticed that.
The other fun thing is that it is a wildcard cert, but I'm thinking that it
would give some kind of hostname not matching error if that was an issue.
Maybe I'm wrong.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301
http://www.cora.nwra.com