Tuesday, April 12, 2016

[389-users] Re: Create 389 directory server secure connections

On Tue, 2016-04-12 at 01:32 +0000, xinhuan zheng wrote:
> Hello Mr. Brown,

> TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)'
> certPrefix='' keyPrefix='' flags=readOnly
> TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11
> error.
> TLS: certificate [CN=CAcert] is not valid - error -8172:Peer's certificate
> issuer has been marked as not trusted by the user..
> TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
> TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked
> as not trusted by the user..

> [11/Apr/2016:21:14:18 -0400] conn=28 fd=64 slot=64 SSL connection from
> to
> [11/Apr/2016:21:14:18 -0400] conn=28 op=-1 fd=64 closed - Peer does not
> recognize and trust the CA that issued your certificate.

> I think I'll need to delete all certificates then re-create them all from
> scratch. One thing I am not sure is the certificate flags, in setupssl2.sh. For
> "CA certificate" the flag is "CT,,", while for server certificate, it is
> "u,u,u", is it correct?

The issue is that you do not have your CA cert in /etc/openldap/certs.

I helped with this same issue in the subject titled:

[389-users] Re: admin and Directory Manager accounts cannot log into 389-console

The answer I gave there:

So you should take the current CA cert from the slapd instance:

certutil -L -d /etc/dirsrv/slapd-E2WAN/ -n wsf-LabCA.lab.aero.org -a >

Then you can make these valid for openldap to use:

cd /etc/openldap/cacerts

This will recreate the hash -> cert symlinks.

From there, re-run your ldap search command:

 ldapsearch -d 5 -x -L -b 'dc=lab,dc=aero,dc=org'

You will need to adjust these commands to match your instances, the CA certs, and
your openldap/certs location. Otherwise, that should fix the issue.


William Brown
Software Engineer
Red Hat, Brisbane

No comments:

Post a Comment