[389-users] Problems with SSL
Ski Kacoroski
ckacoroski at nsd.org
Wed Mar 3 19:29:46 UTC 2010
Ah, I do not get this error when I connect to the IP, only to the
hostname. I am also getting a lot of notices for:
admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.9.10
even though I have defined in the /etc/hosts file and in dns:
;; ANSWER SECTION:
10.9.1.10.in-addr.arpa. 86400 IN PTR ldaptest.nsd.org.
Very strange.
ski
On 03/03/2010 11:14 AM, Ski Kacoroski wrote:
> Ok, I got the admin server to partially work (took a while to figure out
> that it uses a different way to get the password from a file for a
> restart). So it works, but even though the cert path is ok and the cert
> is ok for SSL server and SSL client, I am getting this warning on logon:
>
> "The certificate this server present is either untrusted or unknown.
> This server can only communicate through a secure connection
> involving a certificate.
> Do you wish to accept this certificate anyway?
> "
>
> When I look at the details I see:
>
> "this certificate does not contain the correct site name"
>
> I am guessing this is because I am using my "*.nsd.org" cert and the
> admin server requires a specific named cert. Does that sound correct to
> you?
>
> Again, thanks for your help.
>
> cheers,
>
> ski
>
> On 03/03/2010 10:29 AM, Ski Kacoroski wrote:
>> Rich& Rob,
>>
>> I am making some progress. I got it to work partially. My problem was
>> that it did not like the default digicert root cert (the one I see by
>> linking to /usr/lib64/libnssckbi.so). When I installed the digicert
>> root cert that came with the server cert, it worked. I figured this out
>> by looking at the server cert certification path and seeing it was broken.
>>
>> So I am now trying to turn it on for the console by ticking the checkbox
>> (the admin server is next). It seems to work as I can save the setting
>> and then I restart the services. However, when I go into the console
>> and try to either "Manage Certs" or choose Configuration->Encryption I
>> get a dialog that shows up twice:
>>
>> "An error has occurred, Could not open file (null). File does not exist
>> or filename is invalid."
>>
>> I am able to untick the use ssl in console option and then I can manage
>> my certs again.
>>
>> Any ideas on what is going on here.
>>
>> Again, thanks very much for your help.
>>
>> cheers,
>>
>> ski
>>
>> On 03/03/2010 08:46 AM, Rich Megginson wrote:
>>> Ski Kacoroski wrote:
>>>> Ok, looks like I need to reboot the entire server to get the admin
>>>> console stop server functionality to work.
>>> You probably could have just restarted the directory server and admin
>>> server:
>>> service dirsrv restart
>>> service dirsrv-admin restart
>>>> Now, has anyone had any luck
>>>> using a * cert with the 389 server?
>>>>
>>> What problems are you having still?
>>>> cheers,
>>>>
>>>> ski
>>>>
>>>> On 03/02/2010 03:24 PM, Ski Kacoroski wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am having problems with SSL setup. First I tried via the admin
>>>>> console to use our company's star cert, but no matter what [in/password
>>>>> I picked for the keystore, when I tried to restart the server it would
>>>>> not accept my pin/password that I had just entered. I then gave up and
>>>>> ran the setupssl2.sh script and this worked except that it threw an
>>>>> error when trying to modify the directory to turn on ssl. So I went in
>>>>> via the admin console and was able to turn on ssl for the admin console
>>>>> and my directory. The problem now is that I cannot stop the server from
>>>>> the admin console (I can start it ok). I just get a dialog with
>>>>> "Directory Server nsd-org could not be stopped". Any ideas on why when
>>>>> I can start the server ok? Also has any one else made this work with a
>>>>> star cert?
>>>>>
>>>>> cheers,
>>>>>
>>>>> ski
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
--
"When we try to pick out anything by itself, we find it
connected to the entire universe" John Muir
Chris "Ski" Kacoroski, ckacoroski at nsd.org, 206-501-9803
or ski98033 on most IM services
More information about the 389-users
mailing list