[389-users] Error when starting dirsrv after enabling SSL and installing keys and certificates

Wed Jul 17 16:35:59 UTC 2013

On the other working machines, the openssl command produces the same
output. 

You're correct, I didn't not configure my CA cert to be used with
openssl in openssl.cnf (on either box). 

On 2013-07-17 12:23, Dan Lavu wrote: 

> Sounds like your certificates are not setup correctly for that system, what are the results on the other 'working' machines? 
> 
> I might have made a bad assumption, did you configure your CA cert to be used with openssl? (openssl.conf) That must be set otherwise you will have trust errors when using openssl s_client . 
> 
> On Jul 17, 2013, at 12:18 PM, Kyle Johnson <kjohnson at gnulnx.net> wrote: 
> 
> Hi Dan, 
> 
> Yes, dirsrv does indeed start. Here is what I receive from the openssl command (the important bits): 
> 
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ... 
> 
> Verify return code: 19 (self signed certificate in certificate chain)
> 
> Kyle 
> 
> On 2013-07-17 12:04, Dan Lavu wrote: Sorry the command is something like 
> 
> $ openssl s_client -connect localhost:443 
> 
> it's not verify… 
> 
> On Jul 17, 2013, at 12:03 PM, Dan Lavu <dan at lavu.net> wrote: 
> Kyle,
> 
> Does dirsrv start? If it does start, have you tried running 'openssl verify HOSTNAME:PORT' to validate the certificate? 
> 
> Dan
> 
> On Jul 17, 2013, at 10:55 AM, Kyle Johnson <kjohnson at gnulnx.net> wrote:
> 
> Hello everyone,
> 
> I have been receiving help from richm in the #389 channel for the last few days, but haven't made much progress, so I'd like to move the conversation somewhere a little more persistent.
> 
> My issue is that after manually enabling SSL by following the instructions at ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled [1]
> (that is, not using the setupssl2.sh script) and installing my CA and public and private key bundle, I am receiving the following error when starting dirsrv.
> I also receive this error if I run the setupssl2.sh script and then replace the certificates and keys generated by it with the ones below.
> 
> [root at ldap005 slapd-ldap005]# service dirsrv restart
> Shutting down dirsrv:
> ldap005... [ OK ]
> Starting dirsrv:
> ldap005...[17/Jul/2013:14:41:21 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert ldap005.infra.dfw of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8016 - unknown)
> [ OK ]
> [root at ldap005 slapd-ldap005]#
> 
> Here is a list of the installed certs:
> ca001.zhv.domain.com [2] CT,,
> ldap005.infra.dfw u,u,u
> 
> And the installed keys:
> < 0> rsa a25fae676b83cfeb52d1fdc671aa74a34ef4ee8c ldap005.infra.dfw
> 
> My versions of 389 are as follows:
> 389-ds-console-1.2.6-1.el6.noarch
> 389-ds-1.2.2-1.el6.noarch
> 389-ds-base-1.2.11.15-14.el6_4.x86_64
> 389-admin-console-1.1.8-1.el6.noarch
> 389-ds-console-doc-1.2.6-1.el6.noarch
> 389-dsgw-1.1.9-1.el6.x86_64
> 389-adminutil-1.1.15-1.el6.x86_64
> 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
> 389-console-1.1.7-1.el6.noarch
> 389-admin-1.1.29-1.el6.x86_64
> 389-admin-console-doc-1.1.8-1.el6.noarch
> 
> I would like to note that I have this working on another of my 389 servers, the difference being that 389-ds-base is an earlier version:
> 389-console-1.1.7-1.el6.noarch
> 389-ds-base-1.2.10.2-20.el6_3.x86_64
> 389-admin-console-1.1.8-1.el6.noarch
> 389-ds-console-doc-1.2.6-1.el6.noarch
> 389-dsgw-1.1.9-1.el6.x86_64
> 389-adminutil-1.1.15-1.el6.x86_64
> 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
> 389-admin-1.1.29-1.el6.x86_64
> 389-ds-console-1.2.6-1.el6.noarch
> 389-admin-console-doc-1.1.8-1.el6.noarch
> 389-ds-1.2.2-1.el6.noarch
> 
> Please let me know what other information you would need to help me with troubleshooting this issue.
> 
> Kyle Johnson
> 
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users [3]

--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users [3]
 --
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users [3] 

--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users [3]

Links:
------
[1]
http://ry.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled
[2] http://ca001.zhv.domain.com/
[3] https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130717/e301029f/attachment.html>