[389-users] SSL certificate issue

s.varadha rajan rajanvaradhu at gmail.com
Wed Jul 13 13:05:28 UTC 2011 

Hi,

I am trying to implement, two 389-ds with ssl replication.Replication is
working without ssl. when i try to configure ssl enabled 389-ds, i am
getting the error as,

"[13/Jul/2011:17:38:37 +051800] - SSL alert: CERT_VerifyCertificateNow:
verify certificate failed for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
Peer's Certificate issuer is not recognized.)
[13/Jul/2011:17:38:37 +051800] - SSL failure: None of the cipher are valid"

*I did the following as per my environment;*
*
*
1.my system name is varad.india.xxx.com. we have a certificate
star.india.xxx.com and .pem files,which is used commonly for Apache and
other related services.so i am planning to import that certificate to my
fedora-ds system,

A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem -in
star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name 'Server-Cert' ==>
command went fine

B).pk12util -i <location>/crt.p12 -d . ==> command went fine

C).As per the fedora doc, they specified as "certutil -d
/etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i
/path/to/ca.pem".so tried this option as ,

 #root at varad:/home/sslforldap# certutil -d /etc/dirsrv/slapd-varad -A -n
"Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt
got an error ==>certutil: function failed: security library: bad database.

and then tried as

#certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i
star_dot_india_xxx_cert.crt ==> went fine

D).Added the relevant details in the dse.ldif and restarted the dirsrv.but i
got the above error.

E).For your information,

root at varad:/home/sslforldap# certutil -L -d .

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

XXX XXX CA                                                   u,u,u


How can i proceed further ?

Regards,
Varad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110713/f8bcc031/attachment.html>

More information about the 389-users mailing list