[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA

Richard Megginson rmeggins at redhat.com
Fri Jun 2 18:29:29 UTC 2006


Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can 
>>>>> start FDS in SSL mode, but when I run
>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert write:fatal:unknown 
>>>>> CA.
>>>> Did you follow this - 
>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>> I did, but that didn't work for me. The only thing that I did this 
>>> time was generate a request from the "Manage Certificates", sign the 
>>> request using my OpenSSL CA, and install the Server and CA Certs. 
>>> Then I turned on SSL in the Admin console, and restarted the server.
>>>
>>> When I followed the instructions from the link, I couldn't even get 
>>> FDS to start in SSL mode.
>> One problem may be that ldapsearch is trying to verify the hostname 
>> in your server cert, which is the value of the cn attribute in the 
>> leftmost RDN in your server cert's subject DN.  What is the subject 
>> DN of your server cert?  You can use certutil -L -n Server-Cert as 
>> specified in the Howto:SSL to print your cert.
>
> Sorry. I missed the -P option.
>
> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA 
> host (ran on same machine)
Hmm - try ldapsearch with the -v (or -d?) option to get some debugging info.
>
>>>>>
>>>>> In /etc/ldap.conf, I have put in
>>>>> TLS_CACERT /path/to/cert
>>>> Is this the same /path/to/cacert.pem as below?
>>> Yes
>>>>> TLSREQCERT allow
>>>>> ssl on
>>>>> ssl start_tls
>>>>>
>>>>> If I run
>>>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile 
>>>>> /path/to/cacert.pem
>>>>>
>>>>> It looks OK
>>>>>
>>>>> Please help
>>>>>
>>>>> Thanks
>>>>>
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/4fde7bf7/attachment.bin>


More information about the 389-users mailing list