[389-users] Error when starting dirsrv after enabling SSL and installing keys and certificates
Dan Lavu
dan at lavu.net
Wed Jul 17 16:23:11 UTC 2013
Sounds like your certificates are not setup correctly for that system, what are the results on the other 'working' machines?
I might have made a bad assumption, did you configure your CA cert to be used with openssl? (openssl.conf) That must be set otherwise you will have trust errors when using openssl s_client .
On Jul 17, 2013, at 12:18 PM, Kyle Johnson <kjohnson at gnulnx.net> wrote:
> Hi Dan,
>
> Yes, dirsrv does indeed start. Here is what I receive from the openssl command (the important bits):
>
>
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ...
>
> Verify return code: 19 (self signed certificate in certificate chain)
>
>
>
> Kyle
>
>
>
> On 2013-07-17 12:04, Dan Lavu wrote:
>
>> Sorry the command is something like
>>
>> $ openssl s_client -connect localhost:443
>>
>> it's not verify…
>>
>>
>> On Jul 17, 2013, at 12:03 PM, Dan Lavu <dan at lavu.net> wrote:
>>
>>> Kyle,
>>>
>>> Does dirsrv start? If it does start, have you tried running 'openssl verify HOSTNAME:PORT' to validate the certificate?
>>>
>>> Dan
>>>
>>> On Jul 17, 2013, at 10:55 AM, Kyle Johnson <kjohnson at gnulnx.net> wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> I have been receiving help from richm in the #389 channel for the last few days, but haven't made much progress, so I'd like to move the conversation somewhere a little more persistent.
>>>>
>>>> My issue is that after manually enabling SSL by following the instructions at ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled
>>>> (that is, not using the setupssl2.sh script) and installing my CA and public and private key bundle, I am receiving the following error when starting dirsrv.
>>>> I also receive this error if I run the setupssl2.sh script and then replace the certificates and keys generated by it with the ones below.
>>>>
>>>>
>>>> [root at ldap005 slapd-ldap005]# service dirsrv restart
>>>> Shutting down dirsrv:
>>>> ldap005... [ OK ]
>>>> Starting dirsrv:
>>>> ldap005...[17/Jul/2013:14:41:21 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert ldap005.infra.dfw of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8016 - unknown)
>>>> [ OK ]
>>>> [root at ldap005 slapd-ldap005]#
>>>>
>>>>
>>>> Here is a list of the installed certs:
>>>> ca001.zhv.domain.com CT,,
>>>> ldap005.infra.dfw u,u,u
>>>>
>>>>
>>>> And the installed keys:
>>>> < 0> rsa a25fae676b83cfeb52d1fdc671aa74a34ef4ee8c ldap005.infra.dfw
>>>>
>>>>
>>>> My versions of 389 are as follows:
>>>> 389-ds-console-1.2.6-1.el6.noarch
>>>> 389-ds-1.2.2-1.el6.noarch
>>>> 389-ds-base-1.2.11.15-14.el6_4.x86_64
>>>> 389-admin-console-1.1.8-1.el6.noarch
>>>> 389-ds-console-doc-1.2.6-1.el6.noarch
>>>> 389-dsgw-1.1.9-1.el6.x86_64
>>>> 389-adminutil-1.1.15-1.el6.x86_64
>>>> 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
>>>> 389-console-1.1.7-1.el6.noarch
>>>> 389-admin-1.1.29-1.el6.x86_64
>>>> 389-admin-console-doc-1.1.8-1.el6.noarch
>>>>
>>>>
>>>> I would like to note that I have this working on another of my 389 servers, the difference being that 389-ds-base is an earlier version:
>>>> 389-console-1.1.7-1.el6.noarch
>>>> 389-ds-base-1.2.10.2-20.el6_3.x86_64
>>>> 389-admin-console-1.1.8-1.el6.noarch
>>>> 389-ds-console-doc-1.2.6-1.el6.noarch
>>>> 389-dsgw-1.1.9-1.el6.x86_64
>>>> 389-adminutil-1.1.15-1.el6.x86_64
>>>> 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
>>>> 389-admin-1.1.29-1.el6.x86_64
>>>> 389-ds-console-1.2.6-1.el6.noarch
>>>> 389-admin-console-doc-1.1.8-1.el6.noarch
>>>> 389-ds-1.2.2-1.el6.noarch
>>>>
>>>>
>>>>
>>>> Please let me know what other information you would need to help me with troubleshooting this issue.
>>>>
>>>> Kyle Johnson
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130717/8f549723/attachment.html>
More information about the 389-users
mailing list