[Fedora-directory-users] Back in SSL hell again!
Richard Megginson
rmeggins at redhat.com
Tue Jan 16 23:02:50 UTC 2007
Glenn wrote:
>> Is it possible it is complaining about the CA cert?
>>
>
> Ahem. No, after all, it did name the certificate it was complaining about.
> But I figured out what the problem was. Sometime this morning it became
> apparent that having the clocks synchronized on the AD and DS servers would
> make it easier to read the logs, so I used the "date" command to change the
> time. I still find it difficult to understand some of the command manuals,
> and, assuming it was necessary to include the century and year as well as the
> date and time in the command, I accidentally put in 2006 instead of 2007.
> But, you know, if the error message had said, "your certificate is not valid
> yet" or even, "check the date, twit", I might have resolved this more
> quickly. Then again, maybe not. :) Thanks again. -Glenn.
>
If you think that's bad, try to have a Kerberos environment where one or
more clocks are out of sync, and try to interpret those error messages :P
> ---------- Original Message -----------
> From: Richard Megginson <rmeggins at redhat.com>
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users at redhat.com>
> Sent: Tue, 16 Jan 2007 13:12:21 -0700
> Subject: Re: [Fedora-directory-users] Back in SSL hell again!
>
>
>> Glenn wrote:
>>
>>> So I'm just about to finish getting Windows Sync working between RH
>>>
> Directory
>
>>> Server 7.1SP3 and Active Directory. The latest error message in the
>>>
> passsync
>
>>> log says "insufficient access", so I create an ACI that gives the
>>>
> replication
>
>>> manager access to everything, just to see if it will work. Nope. So I
>>> think, maybe I have to restart the Directory Server. And then it fails
>>>
> to
>
>>> restart, logging the error message:
>>>
>>> SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
>>> server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable
>>> Runtime error -8181 - Peer's Certificate has expired.)
>>>
>>>
>> Is it possible it is complaining about the CA cert?
>>
>>> Yeah, right. Here's a copy of the certificate:
>>>
>>> [root at ourserver alias]# ./certutil -L -d ./ -n server-cert
>>> Certificate:
>>> Data:
>>> Version: 3 (0x2)
>>> Serial Number:
>>> 16:43:78:57:00:00:00:00:00:0e
>>> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
>>> Issuer:
>>> "CN=OURCA,DC=ad,DC=ourshop,DC=edu"
>>> Validity:
>>> Not Before: Tue Nov 14 22:50:17 2006
>>> Not After : Thu Nov 13 22:50:17 2008
>>> ...
>>>
>>> Now, I'll grant you that this little synchronization exercise FEELS like
>>>
> it
>
>>> has gone on for more than two years, but according to the certificate, it
>>>
> has
>
>>> taken barely two months so far, leaving the certificate good for another
>>>
> 22
>
>>> months. Once again, the SSL error message seems to have little to do
>>>
> with
>
>>> reality.
>>>
>>> I just restarted the server three hours earlier, and it worked fine
>>>
> then.
>
>>> Can anyone suggest what I might try now? Thanks. -Glenn.
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
> ------- End of Original Message -------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070116/85515d48/attachment.bin>
More information about the Fedora-directory-users
mailing list