On 13/02/2017 10:01, Lukz Ferris wrote:> This error suggests a problem with your certificate. If it used to work
> previously, then check it hasn't expired.
>
> openssl s_client -connect devsamba.lucas.ufes.br:636
>
> copy-paste the certificate into a pem file, including begin/end lines
>
> openssl x509 -in mycert.pem -noout -enddate
>
> And check your root CA cert hasn't expired:
>
> openssl x509 -in /usr/local/samba/private/tls/cert.pem -noout
-enddate
>
>
>
>
>
> I did the first command and I got this:
>
> openssl s_client -connect devsamba.lucas.ufes.br:636
> socket: Connection refused
> connect:errno=111
Then your server is not even listening on the ldaps port, or port 636 is
being blocked. If this worked in the past, then probably something has
changed in your config.
To check whether it's a firewall problem, on the server itself check for
listening processes:
# netstat -natp | grep LISTEN
If no process is listening on port 636, then that's where your problem
is. Go check logs etc to see why the LDAP server isn't listening.
If there *is* a process listening on port 636 (and it's not bound to a
local interface like 127.0.0.1 or ::1) then check what's blocking the
traffic in between your client and server - e.g. iptables rules.
> Then I copy-paste the certificate and got this:
What certificate did you copy-paste?? The purpose of the "open s_client
-connect x.x.x.x:636" command was to connect and find out what
certificate the server was sending to you. But you didn't establish the
connection, so there was no certificate to check.
Regards,
Brian.