[389-users] Question on certificate storage
Rich Megginson
rmeggins at redhat.com
Fri Sep 23 19:44:08 UTC 2011
On 09/23/2011 01:24 PM, Orion Poplawski wrote:
> I'm trying to setup MMR with another office site. We're trying to connect
> over SSL, but my server gives the error:
>
> [23/Sep/2011:12:00:56 -0600] slapi_ldap_bind - Error: could not send bind
> request for id [cn=Replication Manager,cn=config] mech [SIMPLE]: error 81
> (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not
> recognized.) 11 (Resource temporarily unavailable)
>
> I've added what I believe are the proper CA certs (it is a chain of 3) for the
> remote server to my directory server via the 389-console and manage
> certificates.
Did it have 3 in a single file, or 3 different files?
> However, I noticed that when I use certutil on the server to
> list the certificates, I don't see them:
>
> # certutil -d /etc/dirsrv/slapd-cora/ -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> CA certificate CT,,
> server-cert u,u,u
>
> I would have thought they would be stored in the same place.
They should be.
> If not, where
> are the one listed in the console stored?
Good question.
> Does it matter that they aren't
> showing up with certutil?
Yes.
Are these chained to a well-known root CA? If so, you can add those to
the directory server CA certs list:
http://directory.fedoraproject.org/wiki/Howto:SSL#Viewing_the_list_of_built-in_CA_certs
> Anything else I can do to debug the SSL connection?
It may just be that if there is more than one CA cert in the file only
the first or last is added.
More information about the 389-users
mailing list