[389-users] Problems with SSL

Thu Mar 4 03:06:51 UTC 2010

Ski Kacoroski wrote:
> Ok, I got the admin server to partially work (took a while to figure out 
> that it uses a different way to get the password from a file for a 
> restart).  So it works, but even though the cert path is ok and the cert 
> is ok for SSL server and SSL client, I am getting this warning on logon:
>
> "The certificate this server present is either untrusted or unknown.
>   This server can only communicate through a secure connection
>   involving a certificate.
>   Do you wish to accept this certificate anyway?
> "
>
> When I look at the details I see:
>
> "this certificate does not contain the correct site name"
>
> I am guessing this is because I am using my "*.nsd.org" cert and the 
> admin server requires a specific named cert.  Does that sound correct to 
> you?
>   
No.  If the server cert works with the directory server, it should work 
with the admin server too.

Did you import the pkcs12 file into the admin server too?  Did you 
import the correct CA cert into the admin server too?
> Again, thanks for your help.
>
> cheers,
>
> ski
>
> On 03/03/2010 10:29 AM, Ski Kacoroski wrote:
>   
>> Rich&  Rob,
>>
>> I am making some progress.  I got it to work partially.  My problem was
>> that it did not like the default digicert root cert (the one I see by
>> linking to /usr/lib64/libnssckbi.so).  When I installed the digicert
>> root cert that came with the server cert, it worked.  I figured this out
>> by looking at the server cert certification path and seeing it was broken.
>>
>> So I am now trying to turn it on for the console by ticking the checkbox
>> (the admin server is next).  It seems to work as I can save the setting
>> and then I restart the services.  However, when I go into the console
>> and try to either "Manage Certs" or choose Configuration->Encryption I
>> get a dialog that shows up twice:
>>
>> "An error has occurred, Could not open file (null).  File does not exist
>> or filename is invalid."
>>
>> I am able to untick the use ssl in console option and then I can manage
>> my certs again.
>>
>> Any ideas on what is going on here.
>>
>> Again, thanks very much for your help.
>>
>> cheers,
>>
>> ski
>>
>> On 03/03/2010 08:46 AM, Rich Megginson wrote:
>>     
>>> Ski Kacoroski wrote:
>>>       
>>>> Ok, looks like I need to reboot the entire server to get the admin
>>>> console stop server functionality to work.
>>>>         
>>> You probably could have just restarted the directory server and admin
>>> server:
>>> service dirsrv restart
>>> service dirsrv-admin restart
>>>       
>>>> Now, has anyone had any luck
>>>> using a * cert with the 389 server?
>>>>
>>>>         
>>> What problems are you having still?
>>>       
>>>> cheers,
>>>>
>>>> ski
>>>>
>>>> On 03/02/2010 03:24 PM, Ski Kacoroski wrote:
>>>>
>>>>         
>>>>> Hi,
>>>>>
>>>>> I am having problems with SSL setup.  First I tried via the admin
>>>>> console to use our company's star cert, but no matter what [in/password
>>>>> I picked for the keystore, when I tried to restart the server it would
>>>>> not accept my pin/password that I had just entered.  I then gave up and
>>>>> ran the setupssl2.sh script and this worked except that it threw an
>>>>> error when trying to modify the directory to turn on ssl.  So I went in
>>>>> via the admin console and was able to turn on ssl for the admin console
>>>>> and my directory.  The problem now is that I cannot stop the server from
>>>>> the admin console (I can start it ok).  I just get a dialog with
>>>>> "Directory Server nsd-org could not be stopped".  Any ideas on why when
>>>>> I can start the server ok?  Also has any one else made this work with a
>>>>> star cert?
>>>>>
>>>>> cheers,
>>>>>
>>>>> ski
>>>>>
>>>>>
>>>>>           
>>>>         
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>       
>
>