[389-users] SSL certificate issue

s.varadha rajan rajanvaradhu at gmail.com
Thu Jul 14 07:29:17 UTC 2011 

Hi,

Thanks for the reply.but i have a problem with my system for enabling
ssl,then only i go for consumer and then replication e.t.c.

my system name is varad.india.xxx.com and i have to use
"star_dot_india_xxx_cert.crt" certificate, which is used for apache and
other web related applications.so first i need to install certificate and
enable secure 389-ds that is ldaps.then only i need to go for other system
then i can proceed replication process

In such a case, what is the solution

Regards,
Varad

2011/7/13 solarflow99 <solarflow99 at gmail.com>

> I had this error, and it was the CA not being imported correctly as you
> mentioned.  I used the certutil and pk12util commands to import and export
> all the certs:
>
> http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replication_Consumer_cert
>
>
>
> 2011/7/13 s.varadha rajan <rajanvaradhu at gmail.com>
>
>> Hi,
>>
>> I am trying to implement, two 389-ds with ssl replication.Replication is
>> working without ssl. when i try to configure ssl enabled 389-ds, i am
>> getting the error as,
>>
>> "[13/Jul/2011:17:38:37 +051800] - SSL alert: CERT_VerifyCertificateNow:
>> verify certificate failed for cert Server-Cert of family
>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
>> Peer's Certificate issuer is not recognized.)
>> [13/Jul/2011:17:38:37 +051800] - SSL failure: None of the cipher are
>> valid"
>>
>> *I did the following as per my environment;*
>> *
>> *
>> 1.my system name is varad.india.xxx.com. we have a certificate
>> star.india.xxx.com and .pem files,which is used commonly for Apache and
>> other related services.so i am planning to import that certificate to my
>> fedora-ds system,
>>
>> A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem -in
>> star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name 'Server-Cert' ==>
>> command went fine
>>
>> B).pk12util -i <location>/crt.p12 -d . ==> command went fine
>>
>> C).As per the fedora doc, they specified as "certutil -d
>> /etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i
>> /path/to/ca.pem".so tried this option as ,
>>
>>  #root at varad:/home/sslforldap# certutil -d /etc/dirsrv/slapd-varad -A -n
>> "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt
>> got an error ==>certutil: function failed: security library: bad database.
>>
>> and then tried as
>>
>> #certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i
>> star_dot_india_xxx_cert.crt ==> went fine
>>
>> D).Added the relevant details in the dse.ldif and restarted the dirsrv.but
>> i got the above error.
>>
>> E).For your information,
>>
>> root at varad:/home/sslforldap# certutil -L -d .
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> XXX XXX CA                                                   u,u,u
>>
>>
>> How can i proceed further ?
>>
>> Regards,
>> Varad
>>
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110714/37706fd9/attachment.html>

More information about the 389-users mailing list