[Fedora-directory-users] Back in SSL hell again!
Glenn
glenn at mail.txwes.edu
Tue Jan 16 20:00:17 UTC 2007
So I'm just about to finish getting Windows Sync working between RH Directory
Server 7.1SP3 and Active Directory. The latest error message in the passsync
log says "insufficient access", so I create an ACI that gives the replication
manager access to everything, just to see if it will work. Nope. So I
think, maybe I have to restart the Directory Server. And then it fails to
restart, logging the error message:
SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Yeah, right. Here's a copy of the certificate:
[root at ourserver alias]# ./certutil -L -d ./ -n server-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:43:78:57:00:00:00:00:00:0e
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer:
"CN=OURCA,DC=ad,DC=ourshop,DC=edu"
Validity:
Not Before: Tue Nov 14 22:50:17 2006
Not After : Thu Nov 13 22:50:17 2008
...
Now, I'll grant you that this little synchronization exercise FEELS like it
has gone on for more than two years, but according to the certificate, it has
taken barely two months so far, leaving the certificate good for another 22
months. Once again, the SSL error message seems to have little to do with
reality.
I just restarted the server three hours earlier, and it worked fine then.
Can anyone suggest what I might try now? Thanks. -Glenn.
More information about the Fedora-directory-users
mailing list