[389-users] Problems with SSL

Ski Kacoroski ckacoroski at nsd.org
Wed Mar 3 19:29:46 UTC 2010 

Ah, I do not get this error when I connect to the IP, only to the 
hostname.  I am also getting a lot of notices for:

admserv_host_ip_check: ap_get_remote_host could not resolve 10.1.9.10

even though I have defined in the /etc/hosts file and in dns:

;; ANSWER SECTION:
10.9.1.10.in-addr.arpa.	86400	IN	PTR	ldaptest.nsd.org.

Very strange.

ski

On 03/03/2010 11:14 AM, Ski Kacoroski wrote:
> Ok, I got the admin server to partially work (took a while to figure out
> that it uses a different way to get the password from a file for a
> restart).  So it works, but even though the cert path is ok and the cert
> is ok for SSL server and SSL client, I am getting this warning on logon:
>
> "The certificate this server present is either untrusted or unknown.
>    This server can only communicate through a secure connection
>    involving a certificate.
>    Do you wish to accept this certificate anyway?
> "
>
> When I look at the details I see:
>
> "this certificate does not contain the correct site name"
>
> I am guessing this is because I am using my "*.nsd.org" cert and the
> admin server requires a specific named cert.  Does that sound correct to
> you?
>
> Again, thanks for your help.
>
> cheers,
>
> ski
>
> On 03/03/2010 10:29 AM, Ski Kacoroski wrote:
>> Rich&   Rob,
>>
>> I am making some progress.  I got it to work partially.  My problem was
>> that it did not like the default digicert root cert (the one I see by
>> linking to /usr/lib64/libnssckbi.so).  When I installed the digicert
>> root cert that came with the server cert, it worked.  I figured this out
>> by looking at the server cert certification path and seeing it was broken.
>>
>> So I am now trying to turn it on for the console by ticking the checkbox
>> (the admin server is next).  It seems to work as I can save the setting
>> and then I restart the services.  However, when I go into the console
>> and try to either "Manage Certs" or choose Configuration->Encryption I
>> get a dialog that shows up twice:
>>
>> "An error has occurred, Could not open file (null).  File does not exist
>> or filename is invalid."
>>
>> I am able to untick the use ssl in console option and then I can manage
>> my certs again.
>>
>> Any ideas on what is going on here.
>>
>> Again, thanks very much for your help.
>>
>> cheers,
>>
>> ski
>>
>> On 03/03/2010 08:46 AM, Rich Megginson wrote:
>>> Ski Kacoroski wrote:
>>>> Ok, looks like I need to reboot the entire server to get the admin
>>>> console stop server functionality to work.
>>> You probably could have just restarted the directory server and admin
>>> server:
>>> service dirsrv restart
>>> service dirsrv-admin restart
>>>> Now, has anyone had any luck
>>>> using a * cert with the 389 server?
>>>>
>>> What problems are you having still?
>>>> cheers,
>>>>
>>>> ski
>>>>
>>>> On 03/02/2010 03:24 PM, Ski Kacoroski wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am having problems with SSL setup.  First I tried via the admin
>>>>> console to use our company's star cert, but no matter what [in/password
>>>>> I picked for the keystore, when I tried to restart the server it would
>>>>> not accept my pin/password that I had just entered.  I then gave up and
>>>>> ran the setupssl2.sh script and this worked except that it threw an
>>>>> error when trying to modify the directory to turn on ssl.  So I went in
>>>>> via the admin console and was able to turn on ssl for the admin console
>>>>> and my directory.  The problem now is that I cannot stop the server from
>>>>> the admin console (I can start it ok).  I just get a dialog with
>>>>> "Directory Server nsd-org could not be stopped".  Any ideas on why when
>>>>> I can start the server ok?  Also has any one else made this work with a
>>>>> star cert?
>>>>>
>>>>> cheers,
>>>>>
>>>>> ski
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>

-- 
"When we try to pick out anything by itself, we find it
  connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ckacoroski at nsd.org, 206-501-9803
or ski98033 on most IM services

More information about the 389-users mailing list