[Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0
dont at killbrad.com
dont at killbrad.com
Tue Jan 11 15:54:51 UTC 2011
Hi all,
It seems something broke somewhere along the lines when I was trying to
set up Windows Sync. Please take a look at the following outputs. I can
connect both directions manually via SSL, but the actual ipa-replica-manage
script seems to be pulling certs from somewhere else. The current sync
between ipaserver-01 & ipaserver-02 is working fine. If anyone has any
suggestions, I would be open to them. Thanks!
example.local = active directory domain
example.com = ipa realm
-----
[root at ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
DigiCertCA CT,,C
AD CA cert CT,,C
ipaserver-01 u,u,u
#-----
# everything looks right
#-----
[root at ipaserver-01 ~]#
[root at ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h
adserver-01.example.local -p 636 -Z -P
/etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D "passsync at example.local" -w
'notrealpassword' -s base -b "" "objectclass=*"
version: 1
dn:
currentTime: 20110111153848.0Z
...
...
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
...
...
dnsHostName: adserver-01.example.local
ldapServiceName: example.local:adserver-01$@example.local
...
...
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 3
forestFunctionality: 3
domainControllerFunctionality: 3
[root at ipaserver-01 ~]#
#-----
# good valid results for the query [reduced for clarity]
#-----
[root at ipaserver-01 ~]# ipa-replica-manage list
Directory Manager password:
unexpected error: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
[root at ipaserver-01 ~]#
#-----
# welp, it looks like something is broken somewhere..
#-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110111/2d4037d5/attachment.htm>
More information about the Freeipa-users
mailing list