[389-users] Question on certificate storage

Fri Sep 23 20:58:19 UTC 2011

On 09/23/2011 02:53 PM, Orion Poplawski wrote:
> On 09/23/2011 01:44 PM, Rich Megginson wrote:
>> On 09/23/2011 01:24 PM, Orion Poplawski wrote:
>>> I'm trying to setup MMR with another office site. We're trying to 
>>> connect
>>> over SSL, but my server gives the error:
>>>
>>> [23/Sep/2011:12:00:56 -0600] slapi_ldap_bind - Error: could not send 
>>> bind
>>> request for id [cn=Replication Manager,cn=config] mech [SIMPLE]: 
>>> error 81
>>> (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not
>>> recognized.) 11 (Resource temporarily unavailable)
>>>
>>> I've added what I believe are the proper CA certs (it is a chain of 
>>> 3) for the
>>> remote server to my directory server via the 389-console and manage
>>> certificates.
>
>> Did it have 3 in a single file, or 3 different files?
>
> 3 in a single file.  I noticed that certutil and the console only 
> seemed to import the first one so I also imported the other two 
> individually.
>
>>> However, I noticed that when I use certutil on the server to
>>> list the certificates, I don't see them:
>>>
>>> # certutil -d /etc/dirsrv/slapd-cora/ -L
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> CA certificate CT,,
>>> server-cert u,u,u
>>>
>>> I would have thought they would be stored in the same place.
>> They should be.
>>> If not, where
>>> are the one listed in the console stored?
>
>> Good question.
>
>>> Does it matter that they aren't
>>> showing up with certutil?
>
>> Yes.
>
> That's what I thought so I used certutil as well.  The console then 
> showed those entries with the names I gave them with certutil.
So they are showing up in the console but not certutil?  Any difference 
between
certutil -d /etc/dirsrv/slapd-hostname -L
and
certutil -d /etc/dirsrv/admin-serv -L
?  That is, perhaps they were added to the admin server but not the 
directory server?
>
>> Are these chained to a well-known root CA? If so, you can add those 
>> to the
>> directory server CA certs list:
>> http://directory.fedoraproject.org/wiki/Howto:SSL#Viewing_the_list_of_built-in_CA_certs 
>>
>
> The top in the bundle is www.valicert.com, for which I haven't had 
> trouble with for browsers and the like.  I'm not having any luck with 
> linking in the library and seeing the root CAs.
so if you link the library, and then do
certutil -d /etc/dirsrv/slapd-hostname -L
you don't see any of those CA certs?

Try stopping the directory server before using certutil.
>
>>> Anything else I can do to debug the SSL connection?
>> It may just be that if there is more than one CA cert in the file 
>> only the
>> first or last is added.
>
> Yeah, I noticed that.
>
> The other fun thing is that it is a wildcard cert, but I'm thinking 
> that it would give some kind of hostname not matching error if that 
> was an issue. Maybe I'm wrong.
>
You should get a different error if there is a problem with the 
wildcard.  I think the problem is the certutil oddness.