Tuesday, April 5, 2016

[389-users] Re: admin and Directory Manager accounts cannot log into 389-console

>
> ///////////
> As you suggested, I looked into the /var/log/dirsrv/slapd-E2WAN/errors file, I
> decided to purposely restart the whole server and at the very bottom, I found
> the following:
> [05/Apr/2016:15:43:01 -0400] - Information: Non-Secure Port Disabled
> [05/Apr/2016:15:43:01 -0400] - SSL alert: CERT_VerifyCertificateNow: verify
> certificate failed for cert wsf-LabLDAP.crt of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's
> Certificate has expired.)
> [05/Apr/2016:15:43:01 -0400] - 389-Directory/1.2.11.15 B2014.314.1342 starting
> up
> [05/Apr/2016:15:43:02 -0400] - slapd started.  Listening on All Interfaces port
> 636 for LDAPS requests
>
> What draws my attention is the second line of output, SSL alert:
> CERT_VerifyCertificateNow etc... etc... etc...  I would like to update the
> certificate, because I did generate a new CA-signed certificate with the same
> name wsf-LabLDAP.crt; and I did copy it into the same folder that the original
> 'expired' certificate was stored in.

Do you have the CA certificate in your /etc/dirsrv/slapd-<instance>/ nssdb? You
should be able to see it with certutil, and the trust flags CT. Try:

certutil -L -d /etc/dirsrv/slapd-<instance>/



Do you have a ca referenced in /etc/openldap/ldap.conf as well? That ca location
will need the CA certificate too. 

What distro and version are you running (IE RHEL7)

I think this is an SSL issue at this point, not a password one. The password
parts all looked fine to me. 

>

> [05/Apr/2016:15:46:52 -0400] conn=8 fd=64 slot=64 SSL connection from
> 192.168.2.243 to 192.168.2.243
> [05/Apr/2016:15:46:52 -0400] conn=8 op=-1 fd=64 closed - SSL peer cannot verify
> your certificate.

>
>
> I hope I provided proper and full details for your questions.  I don't mind
> sharing clear text passwords, the real system is not reachable from the
> internet, and I am having this problem also in my virtual lab (where the data
> from above is copy/pasted).

I don't think we'll need these. 



--
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)