[389-users] Problems with SSL

Ski Kacoroski ckacoroski at nsd.org
Wed Mar 3 19:14:04 UTC 2010 

Ok, I got the admin server to partially work (took a while to figure out 
that it uses a different way to get the password from a file for a 
restart).  So it works, but even though the cert path is ok and the cert 
is ok for SSL server and SSL client, I am getting this warning on logon:

"The certificate this server present is either untrusted or unknown.
  This server can only communicate through a secure connection
  involving a certificate.
  Do you wish to accept this certificate anyway?
"

When I look at the details I see:

"this certificate does not contain the correct site name"

I am guessing this is because I am using my "*.nsd.org" cert and the 
admin server requires a specific named cert.  Does that sound correct to 
you?

Again, thanks for your help.

cheers,

ski

On 03/03/2010 10:29 AM, Ski Kacoroski wrote:
> Rich&  Rob,
>
> I am making some progress.  I got it to work partially.  My problem was
> that it did not like the default digicert root cert (the one I see by
> linking to /usr/lib64/libnssckbi.so).  When I installed the digicert
> root cert that came with the server cert, it worked.  I figured this out
> by looking at the server cert certification path and seeing it was broken.
>
> So I am now trying to turn it on for the console by ticking the checkbox
> (the admin server is next).  It seems to work as I can save the setting
> and then I restart the services.  However, when I go into the console
> and try to either "Manage Certs" or choose Configuration->Encryption I
> get a dialog that shows up twice:
>
> "An error has occurred, Could not open file (null).  File does not exist
> or filename is invalid."
>
> I am able to untick the use ssl in console option and then I can manage
> my certs again.
>
> Any ideas on what is going on here.
>
> Again, thanks very much for your help.
>
> cheers,
>
> ski
>
> On 03/03/2010 08:46 AM, Rich Megginson wrote:
>> Ski Kacoroski wrote:
>>> Ok, looks like I need to reboot the entire server to get the admin
>>> console stop server functionality to work.
>> You probably could have just restarted the directory server and admin
>> server:
>> service dirsrv restart
>> service dirsrv-admin restart
>>> Now, has anyone had any luck
>>> using a * cert with the 389 server?
>>>
>> What problems are you having still?
>>> cheers,
>>>
>>> ski
>>>
>>> On 03/02/2010 03:24 PM, Ski Kacoroski wrote:
>>>
>>>> Hi,
>>>>
>>>> I am having problems with SSL setup.  First I tried via the admin
>>>> console to use our company's star cert, but no matter what [in/password
>>>> I picked for the keystore, when I tried to restart the server it would
>>>> not accept my pin/password that I had just entered.  I then gave up and
>>>> ran the setupssl2.sh script and this worked except that it threw an
>>>> error when trying to modify the directory to turn on ssl.  So I went in
>>>> via the admin console and was able to turn on ssl for the admin console
>>>> and my directory.  The problem now is that I cannot stop the server from
>>>> the admin console (I can start it ok).  I just get a dialog with
>>>> "Directory Server nsd-org could not be stopped".  Any ideas on why when
>>>> I can start the server ok?  Also has any one else made this work with a
>>>> star cert?
>>>>
>>>> cheers,
>>>>
>>>> ski
>>>>
>>>>
>>>
>>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

-- 
"When we try to pick out anything by itself, we find it
  connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ckacoroski at nsd.org, 206-501-9803
or ski98033 on most IM services

More information about the 389-users mailing list