[Fedora-directory-users] Back in SSL hell again!

Glenn glenn at mail.txwes.edu
Tue Jan 16 21:09:49 UTC 2007 

> Is it possible it is complaining about the CA cert?

Ahem.  No, after all, it did name the certificate it was complaining about.  
But I figured out what the problem was.  Sometime this morning it became 
apparent that having the clocks synchronized on the AD and DS servers would 
make it easier to read the logs, so I used the "date" command to change the 
time.  I still find it difficult to understand some of the command manuals, 
and, assuming it was necessary to include the century and year as well as the 
date and time in the command, I accidentally put in 2006 instead of 2007.  
But, you know, if the error message had said, "your certificate is not valid 
yet" or even, "check the date, twit", I might have resolved this more 
quickly.  Then again, maybe not. :)  Thanks again.   -Glenn.

---------- Original Message -----------
From: Richard Megginson <rmeggins at redhat.com>
To: "General discussion list for the Fedora Directory server project." 
<fedora-directory-users at redhat.com>
Sent: Tue, 16 Jan 2007 13:12:21 -0700
Subject: Re: [Fedora-directory-users] Back in SSL hell again!

> Glenn wrote:
> > So I'm just about to finish getting Windows Sync working between RH 
Directory 
> > Server 7.1SP3 and Active Directory.  The latest error message in the 
passsync 
> > log says "insufficient access", so I create an ACI that gives the 
replication 
> > manager access to everything, just to see if it will work.  Nope.  So I 
> > think, maybe I have to restart the Directory Server.  And then it fails 
to 
> > restart, logging the error message:
> >
> > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert 
> > server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable 
> > Runtime error -8181 - Peer's Certificate has expired.)
> >   
> Is it possible it is complaining about the CA cert?
> > Yeah, right.  Here's a copy of the certificate:
> >
> > [root at ourserver alias]# ./certutil -L -d ./ -n server-cert
> > Certificate:
> >     Data:
> >         Version: 3 (0x2)
> >         Serial Number:
> >             16:43:78:57:00:00:00:00:00:0e
> >         Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> >         Issuer:
> >             "CN=OURCA,DC=ad,DC=ourshop,DC=edu"
> >         Validity:
> >             Not Before: Tue Nov 14 22:50:17 2006
> >             Not After : Thu Nov 13 22:50:17 2008
> > ...
> >  
> > Now, I'll grant you that this little synchronization exercise FEELS like 
it 
> > has gone on for more than two years, but according to the certificate, it 
has 
> > taken barely two months so far, leaving the certificate good for another 
22 
> > months.  Once again, the SSL error message seems to have little to do 
with 
> > reality.
> >
> > I just restarted the server three hours earlier, and it worked fine 
then.  
> > Can anyone suggest what I might try now?  Thanks.   -Glenn.
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
------- End of Original Message -------

More information about the Fedora-directory-users mailing list