[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA
Richard Megginson
rmeggins at redhat.com
Fri Jun 2 16:07:25 UTC 2006
Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a
>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can
>>> start FDS in SSL mode, but when I run
>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA.
>> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL
> I did, but that didn't work for me. The only thing that I did this
> time was generate a request from the "Manage Certificates", sign the
> request using my OpenSSL CA, and install the Server and CA Certs. Then
> I turned on SSL in the Admin console, and restarted the server.
>
> When I followed the instructions from the link, I couldn't even get
> FDS to start in SSL mode.
One problem may be that ldapsearch is trying to verify the hostname in
your server cert, which is the value of the cn attribute in the leftmost
RDN in your server cert's subject DN. What is the subject DN of your
server cert? You can use certutil -L -n Server-Cert as specified in the
Howto:SSL to print your cert.
>>>
>>> In /etc/ldap.conf, I have put in
>>> TLS_CACERT /path/to/cert
>> Is this the same /path/to/cacert.pem as below?
> Yes
>>> TLSREQCERT allow
>>> ssl on
>>> ssl start_tls
>>>
>>> If I run
>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile
>>> /path/to/cacert.pem
>>>
>>> It looks OK
>>>
>>> Please help
>>>
>>> Thanks
>>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/61f5c9c0/attachment.bin>
More information about the 389-users
mailing list