[Fedora-directory-users] Peer does not recognize and trust the CA that issued your certificate.

Randall Svancara rsvancara at wsu.edu
Tue Aug 7 22:45:32 UTC 2007 

To all,

I am having problems configuring TLS on FDS.  I have followed the
following tutorials for setting up keys.  I have tried both openssl and
certutil without any luck.  I have TLS working on openldap, and I have
to admit it seemed easier than FDS.  

I have been using the following document:

http://directory.fedoraproject.org/wiki/Howto:SSL

When I connect my solaris client, i see error log messages in FDS:

PR_Recv for connection 71 returns -12195 (Peer does not recognize and
trust the CA that issued your certificate.)

My fedora directory server is located on a server named utility.xyz.org

My client which is solaris 10 is located at test.xyz.org.

I have been creating the certificate using the following commands:  



1. open directory 
  cd serverRoot/alias

2. Create password file
vi pwdfile.txt

3. Create noise file
vi noise.txt

4. Create databases
serverRoot/shared/bin/certutil -N -d . -f pwdfile.txt

5.  Generate encryption key
/serverRoot/shared/bin/certutil -G -d . -z noise.txt -f 
pwdfile.txt

6.  Generate self signed certificate
/serverRoot/shared/bin/certutil -S -n "CA certificate" -s 
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f 
pwdfile.txt

7. Generate server certificate
/serverRoot/shared/bin/certutil -S -n "Server-Cert" -s 
"cn=utility.xyz.org" -c "CA certificate" -t "u,u,u" -m 1001 -v 
120 -d . -z noise.txt -f pwdfile.txt

8. Copy the key3.db and cert8.db you created to the default databases created at Directory Server installation:
mv key3.db slapd-server-key3.db
mv cert8.db slapd-server-cert8.db
ln -s slapd-server-key3.db key3.db

9. Run pki tool to convert cert database to pkcs12 format
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n 
Server-Cert

So at this point, under the server tab in FDS Console, i can can see ca-certificate.  I can see the server-cert.  They all appear to be normal.  I have enabled SSL for this server.  
I have selected the Server-Cert.  I have allowed client authentication.  I have turned off hostname checking against the certificate for outbound SSL connections.

On solaris 10 i have successfully configured authentication to LDAP without TLS.  I enable TLS and import the cacert.asc.  

certutil -N -d /var/ldap
certutil -A -n CAcert -d /var/ldap -t "TCu,Cu,Tuw" \
     -i cacert.asc
certutil -L -d /var/ldap

Some other things I have done is to use NGREP to see if there is communication on port 389 from the client to the server.  I have also looked at the Solaris Logs.  I hate how Solaris logs nothing.

The key shows up in the database.  But the client can not negotiate a tls:simple connection.  Any ideas what I am doing wrong here.  

Randall

More information about the Fedora-directory-users mailing list