[389-users] SSL SAN Cert not trusted

Justin Edmands shockwavecs at gmail.com
Tue Jun 25 16:11:35 UTC 2013


I am trying to create a SAN cert in order to cover both of my Master LDAPS
servers.
I was hoping to have the following:

hqdirsrv1\
               > hqdirsrv
hqdirsrv2/

This will allow some of the older code to reference a single LDAP/S server
and not completely rely one instance.

 - Creating a normal SSL cert works perfectly fine from my self signed CA.
Fully functional server
 - Creating a SAN cert, exporting it, and importing it to the two Masters
works fine.
 - In the Admin GUI, Manage Certificates shows the proper SAN certificate
and proper CA associated with this SAN cert.
 - Starting (or restarting after saving the encryption stuff) the directory
server succeeds, but with the following error:

[root at hqdirsrv1 slapd-hqdirsrv1]# service dirsrv start
Starting dirsrv:
    hqdirsrv1...[25/Jun/2013:11:55:45 -0400] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert-hqdirsrv-SAN of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8172 - Peer's certificate issuer has been marked as
not trusted by the user.)
                                                           [  OK  ]

Am I missing a cert or setting for a cert anywhere?

Because this is in dev right now, I trashed my old instance and started
fresh without any ldif imports, etc...same results.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130625/dded5bcb/attachment.html>


More information about the 389-users mailing list