[Fedora-directory-users] Peer does not recognize and trust the CA that issued your certificate.
Randall Svancara
rsvancara at wsu.edu
Tue Aug 7 22:45:32 UTC 2007
To all,
I am having problems configuring TLS on FDS. I have followed the
following tutorials for setting up keys. I have tried both openssl and
certutil without any luck. I have TLS working on openldap, and I have
to admit it seemed easier than FDS.
I have been using the following document:
http://directory.fedoraproject.org/wiki/Howto:SSL
When I connect my solaris client, i see error log messages in FDS:
PR_Recv for connection 71 returns -12195 (Peer does not recognize and
trust the CA that issued your certificate.)
My fedora directory server is located on a server named utility.xyz.org
My client which is solaris 10 is located at test.xyz.org.
I have been creating the certificate using the following commands:
1. open directory
cd serverRoot/alias
2. Create password file
vi pwdfile.txt
3. Create noise file
vi noise.txt
4. Create databases
serverRoot/shared/bin/certutil -N -d . -f pwdfile.txt
5. Generate encryption key
/serverRoot/shared/bin/certutil -G -d . -z noise.txt -f
pwdfile.txt
6. Generate self signed certificate
/serverRoot/shared/bin/certutil -S -n "CA certificate" -s
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f
pwdfile.txt
7. Generate server certificate
/serverRoot/shared/bin/certutil -S -n "Server-Cert" -s
"cn=utility.xyz.org" -c "CA certificate" -t "u,u,u" -m 1001 -v
120 -d . -z noise.txt -f pwdfile.txt
8. Copy the key3.db and cert8.db you created to the default databases created at Directory Server installation:
mv key3.db slapd-server-key3.db
mv cert8.db slapd-server-cert8.db
ln -s slapd-server-key3.db key3.db
9. Run pki tool to convert cert database to pkcs12 format
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n
Server-Cert
So at this point, under the server tab in FDS Console, i can can see ca-certificate. I can see the server-cert. They all appear to be normal. I have enabled SSL for this server.
I have selected the Server-Cert. I have allowed client authentication. I have turned off hostname checking against the certificate for outbound SSL connections.
On solaris 10 i have successfully configured authentication to LDAP without TLS. I enable TLS and import the cacert.asc.
certutil -N -d /var/ldap
certutil -A -n CAcert -d /var/ldap -t "TCu,Cu,Tuw" \
-i cacert.asc
certutil -L -d /var/ldap
Some other things I have done is to use NGREP to see if there is communication on port 389 from the client to the server. I have also looked at the Solaris Logs. I hate how Solaris logs nothing.
The key shows up in the database. But the client can not negotiate a tls:simple connection. Any ideas what I am doing wrong here.
Randall
More information about the Fedora-directory-users
mailing list