I believe that should all be ok. It's using the same key/cert as the DS although I've also tried different keys/certs. There is an intermediate cert in the chain, but in Manage Certs in both DS and admin server the trust chain seems to appear ok.
I can contact the admin server over https, it's just when I change the config DS to secure, and it updates the ldapurl in adm.conf that it subsequently fails.
Some more info in case it helps shed some light... If I attempt to update the User DS in the console then the update fails to apply. But if I use ldapmodify to manually update the directoryURL, then that seems to work ok over SSL. The issue seems to be limited to the config DS only as far as I can tell.
Admin server key/certs below.
[root@ldap admin-serv]# certutil -d . -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 629b29a5d48bb157af44d40edf6b7b27d9fe6c2a ldap.example.com
[root@ldap admin-serv]#
[root@ldap admin-serv]# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
root-ca CT,,
ca-cert CT,,
ldap.example.com CTu,u,u
Is there anything in particular about the config DS that would require some specific certificate extensions or anything like that? It seems peculiar that only that portion seems to be failing, unless I'm mistaken in what I'm seeing.
Thanks again for your help.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment