Hi,
I am trying to implement, two 389-ds with ssl replication.Replication is working without ssl. when i try to configure ssl enabled 389-ds, i am getting the error as,
"[13/Jul/2011:17:38:37 +051800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [13/Jul/2011:17:38:37 +051800] - SSL failure: None of the cipher are valid"
*I did the following as per my environment;* * * 1.my system name is varad.india.xxx.com. we have a certificate star.india.xxx.com and .pem files,which is used commonly for Apache and other related services.so i am planning to import that certificate to my fedora-ds system,
A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem -in star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name 'Server-Cert' ==> command went fine
B).pk12util -i <location>/crt.p12 -d . ==> command went fine
C).As per the fedora doc, they specified as "certutil -d /etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i /path/to/ca.pem".so tried this option as ,
#root@varad:/home/sslforldap# certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt got an error ==>certutil: function failed: security library: bad database.
and then tried as
#certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt ==> went fine
D).Added the relevant details in the dse.ldif and restarted the dirsrv.but i got the above error.
E).For your information,
root@varad:/home/sslforldap# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
XXX XXX CA u,u,u
How can i proceed further ?
Regards, Varad
I had this error, and it was the CA not being imported correctly as you mentioned. I used the certutil and pk12util commands to import and export all the certs: http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replic...
2011/7/13 s.varadha rajan rajanvaradhu@gmail.com
Hi,
I am trying to implement, two 389-ds with ssl replication.Replication is working without ssl. when i try to configure ssl enabled 389-ds, i am getting the error as,
"[13/Jul/2011:17:38:37 +051800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [13/Jul/2011:17:38:37 +051800] - SSL failure: None of the cipher are valid"
*I did the following as per my environment;*
1.my system name is varad.india.xxx.com. we have a certificate star.india.xxx.com and .pem files,which is used commonly for Apache and other related services.so i am planning to import that certificate to my fedora-ds system,
A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem -in star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name 'Server-Cert' ==> command went fine
B).pk12util -i <location>/crt.p12 -d . ==> command went fine
C).As per the fedora doc, they specified as "certutil -d /etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i /path/to/ca.pem".so tried this option as ,
#root@varad:/home/sslforldap# certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt got an error ==>certutil: function failed: security library: bad database.
and then tried as
#certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt ==> went fine
D).Added the relevant details in the dse.ldif and restarted the dirsrv.but i got the above error.
E).For your information,
root@varad:/home/sslforldap# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
XXX XXX CA u,u,u
How can i proceed further ?
Regards, Varad
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi,
Thanks for the reply.but i have a problem with my system for enabling ssl,then only i go for consumer and then replication e.t.c.
my system name is varad.india.xxx.com and i have to use "star_dot_india_xxx_cert.crt" certificate, which is used for apache and other web related applications.so first i need to install certificate and enable secure 389-ds that is ldaps.then only i need to go for other system then i can proceed replication process
In such a case, what is the solution
Regards, Varad
2011/7/13 solarflow99 solarflow99@gmail.com
I had this error, and it was the CA not being imported correctly as you mentioned. I used the certutil and pk12util commands to import and export all the certs:
http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replic...
2011/7/13 s.varadha rajan rajanvaradhu@gmail.com
Hi,
I am trying to implement, two 389-ds with ssl replication.Replication is working without ssl. when i try to configure ssl enabled 389-ds, i am getting the error as,
"[13/Jul/2011:17:38:37 +051800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [13/Jul/2011:17:38:37 +051800] - SSL failure: None of the cipher are valid"
*I did the following as per my environment;*
1.my system name is varad.india.xxx.com. we have a certificate star.india.xxx.com and .pem files,which is used commonly for Apache and other related services.so i am planning to import that certificate to my fedora-ds system,
A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem -in star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name 'Server-Cert' ==> command went fine
B).pk12util -i <location>/crt.p12 -d . ==> command went fine
C).As per the fedora doc, they specified as "certutil -d /etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i /path/to/ca.pem".so tried this option as ,
#root@varad:/home/sslforldap# certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt got an error ==>certutil: function failed: security library: bad database.
and then tried as
#certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt ==> went fine
D).Added the relevant details in the dse.ldif and restarted the dirsrv.but i got the above error.
E).For your information,
root@varad:/home/sslforldap# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
XXX XXX CA u,u,u
How can i proceed further ?
Regards, Varad
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 07/14/2011 01:29 AM, s.varadha rajan wrote:
Hi,
Thanks for the reply.but i have a problem with my system for enabling ssl,then only i go for consumer and then replication e.t.c.
my system name is varad.india.xxx.com http://varad.india.xxx.com and i have to use "star_dot_india_xxx_cert.crt" certificate, which is used for apache and other web related applications.so first i need to install certificate and enable secure 389-ds that is ldaps.then only i need to go for other system then i can proceed replication process
In such a case, what is the solution
You need the CA cert - do you have the CA cert in a PEM file? If so, you can add it using certutil -A http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_an...
Regards, Varad
2011/7/13 solarflow99 <solarflow99@gmail.com mailto:solarflow99@gmail.com>
I had this error, and it was the CA not being imported correctly as you mentioned. I used the certutil and pk12util commands to import and export all the certs: http://directory.fedoraproject.org/wiki/Howto:SSL#Create_and_Export_a_Replication_Consumer_cert 2011/7/13 s.varadha rajan <rajanvaradhu@gmail.com <mailto:rajanvaradhu@gmail.com>> Hi, I am trying to implement, two 389-ds with ssl replication.Replication is working without ssl. when i try to configure ssl enabled 389-ds, i am getting the error as, "[13/Jul/2011:17:38:37 +051800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [13/Jul/2011:17:38:37 +051800] - SSL failure: None of the cipher are valid" _I did the following as per my environment;_ _ _ 1.my system name is varad.india.xxx.com <http://varad.india.xxx.com>. we have a certificate star.india.xxx.com <http://star.india.xxx.com> and .pem files,which is used commonly for Apache and other related services.so i am planning to import that certificate to my fedora-ds system, A).openssl pkcs12 -export -inkey star_dot_india_xxx_key.pem -in star_dot_india_xxx_cert.crt -out crt.p12 -nodes -name 'Server-Cert' ==> command went fine B).pk12util -i <location>/crt.p12 -d . ==> command went fine C).As per the fedora doc, they specified as "certutil -d /etc/dirsrv/slapd-INSTANCE -A -n "My Local CA" -t CT,, -a -i /path/to/ca.pem".so tried this option as , #root@varad:/home/sslforldap# certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt got an error ==>certutil: function failed: security library: bad database. and then tried as #certutil -d /etc/dirsrv/slapd-varad -A -n "Server-Cert" -t u,u,u -a -i star_dot_india_xxx_cert.crt ==> went fine D).Added the relevant details in the dse.ldif and restarted the dirsrv.but i got the above error. E).For your information, root@varad:/home/sslforldap# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI XXX XXX CA u,u,u How can i proceed further ? Regards, Varad -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Rich Megginson -
s.varadha rajan -
solarflow99