[389-users] encryption and self signed certs
Elizabeth Jones
bajones at panix.com
Thu Jul 3 18:17:35 UTC 2014
I'm suddenly stumped by self-signed certs.
I used the setupssl2.sh script to generate my certs and install them into
my ldap. I end up with this --
# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CTu,u,u
Server-Cert u,u,u
getent is able to see my ldap accounts and ldapsearch -ZZ returns
successfully. But I can't authenticate successfully unless I add
TLS_ReqCert allow to my ldap configs on my client. But what is weird is I
*know* that this has worked in the past.
LDAP server:
389-ds-base-1.2.11.25-1.el6.x86_64
OS 2.6.39-300.26.1.el6uek.x86_64 6.5 (Santiago)
Client:
OS 2.6.39-300.26.1.el6uek.x86_64
openssl-1.0.1e-16.el6_5.14.x86_64
nscd-2.12-1.80.el6_3.7.x86_64
nss-pam-ldapd-0.7.5-15.el6_3.2.x86_64
nss-3.13.6-2.0.1.el6_3.x86_64
openssh-5.3p1-94.el6.x86_64
When I try to authenticate I get this error message:
Jul 3 13:03:03 myserver nslcd[21796]: [495cff] ldap_result() failed:
Can't contact LDAP server
Googling this it looks like it doesn't trust my CA. But I *KNOW* that
this has worked in the past. But we have patched our clients recently and
have newer release of openssl. Does anyone have any idea of how I can get
past this?
thanks,
EJ
More information about the 389-users
mailing list