I want my linux box logging in using ldap on ssl with self-signed certificate. I read a lot of documents, but i can''t get over a problem. I created my own CA on my ldap server and i''m signing my certificates. Then i requested a certificate for my client using fedora directory browser, manage certificate''s option. I signed it with my CA and then i put it on my client. I installed my CA in DS using the gui. My DS seems to recognize, now, my certificate. Infact, it doesn''t tell me anymore he doesn''t recognize peer. It seems to go, on server side. I increased log level on client and now i can see these messages: TLS certificate verification: Error, self signed certificate in certificate chain TLS certificate verification: Error, invalid CA certificate TLS certificate verification: Error, unsupported certificate purpose TLS: unable to get peer certificate. request done: ld 0x83f2ee0 msgid 1 I don''t know what it is and i wanna tell you i used the howto on fedora directory server''s site for making and importing the self signed certificate, but maybe i don''t understand something.... Can anyone help me with this please?? Thanks in advance. Paolo
I''ve written a guide to get the LDAPS working with self signed certificates which show all the steps involved from certificate creation to LDAPS from a to z. The guide you find is located here http://www.csse.uwa.edu.au/~ashley/ Hope that helps. Regards Ashley On Mon, 16 Apr 2007, Paolo Ercolani wrote:> I want my linux box logging in using ldap on ssl with self-signed > certificate. I read a lot of documents, but i can''t get over a problem. > > I created my own CA on my ldap server and i''m signing my certificates. Then i > requested a certificate for my client using fedora directory browser, manage > certificate''s option. I signed it with my CA and then i put it on my client. > I installed my CA in DS using the gui. > My DS seems to recognize, now, my certificate. Infact, it doesn''t tell me > anymore he doesn''t recognize peer. It seems to go, on server side. I > increased log level on client and now i can see these messages: > > TLS certificate verification: Error, self signed certificate in certificate > chain > TLS certificate verification: Error, invalid CA certificate > TLS certificate verification: Error, unsupported certificate purpose > TLS: unable to get peer certificate. > request done: ld 0x83f2ee0 msgid 1 > > I don''t know what it is and i wanna tell you i used the howto on fedora > directory server''s site for making and importing the self signed certificate, > but maybe i don''t understand something.... > > Can anyone help me with this please?? > > Thanks in advance. > Paolo > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,4623a5e1248941804284693! >-- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!"
I get no reply, via ping or browser, from that address. Cheers, Greg Copeland> -----Original Message----- > From: fedora-directory-users-bounces@redhat.com[mailto:fedora-directory-> users-bounces@redhat.com] On Behalf Of ashley > Sent: Monday, April 16, 2007 10:11 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ldap and certificate > > > I''ve written a guide to get the LDAPS working with self signed > certificates which show all the steps involved from certificatecreation> to LDAPS from a to z. > > The guide you find is located here > > http://www.csse.uwa.edu.au/~ashley/
Sorry our optic fibre link was down. So hence even though our server was up you can''t get to it. Well our link is back up, so it should be there. Cheers then, Ashley On Tue, 17 Apr 2007, Greg Copeland wrote:> I get no reply, via ping or browser, from that address. > > > Cheers, > > Greg Copeland > >> -----Original Message----- >> From: fedora-directory-users-bounces@redhat.com > [mailto:fedora-directory- >> users-bounces@redhat.com] On Behalf Of ashley >> Sent: Monday, April 16, 2007 10:11 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] ldap and certificate >> >> >> I''ve written a guide to get the LDAPS working with self signed >> certificates which show all the steps involved from certificate > creation >> to LDAPS from a to z. >> >> The guide you find is located here >> >> http://www.csse.uwa.edu.au/~ashley/ > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,462586ab275702143498666! >-- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!"
I''m walking through http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html. I have attempted it several times and each time it fails in the exact same place. I get "pk12util-bin: PKCS12 decode import bags failed: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert." It fails for the same reason every time. I can get only one of the two certificates imported into each of the two databases. Each time, I can only import the "DS-Server-Cert". The other fails as above. I can confirm the DS-Server-Cert has been added via the GUI interface. [root@host fedora-ds]# /opt/fedora-ds/shared/bin/pk12util -i /tmp/ldap/server.p12 -d alias -P admin-serv-host- Enter Password or Pin for "NSS Certificate DB": Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util-bin: PKCS12 IMPORT SUCCESSFUL [root@host fedora-ds]# /opt/fedora-ds/shared/bin/pk12util -i /tmp/admingui/server.p12 -d alias -P admin-serv-host- Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util-bin: PKCS12 decode import bags failed: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Cheers, Greg Copeland> -----Original Message----- > From: fedora-directory-users-bounces@redhat.com[mailto:fedora-directory-> users-bounces@redhat.com] On Behalf Of ashley > Sent: Tuesday, April 17, 2007 11:53 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] ldap and certificate > > > Sorry our optic fibre link was down. So hence even though our serverwas> up you can''t get to it. > > Well our link is back up, so it should be there. > > > Cheers then, Ashley > > On Tue, 17 Apr 2007, Greg Copeland wrote: > > > I get no reply, via ping or browser, from that address. > > > > > > Cheers, > > > > Greg Copeland > > > >> -----Original Message----- > >> From: fedora-directory-users-bounces@redhat.com > > [mailto:fedora-directory- > >> users-bounces@redhat.com] On Behalf Of ashley > >> Sent: Monday, April 16, 2007 10:11 PM > >> To: General discussion list for the Fedora Directory serverproject.> >> Subject: Re: [Fedora-directory-users] ldap and certificate > >> > >> > >> I''ve written a guide to get the LDAPS working with self signed > >> certificates which show all the steps involved from certificate > > creation > >> to LDAPS from a to z. > >> > >> The guide you find is located here > >> > >> http://www.csse.uwa.edu.au/~ashley/ > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > !DSPAM:272,462586ab275702143498666! > > > > -- > Ashley Chew - Systems Administrator > School of Computer Science and Software Engineering > University of Western Australia > Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 > Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley > > "There is no such thing as Fate, Fate is what you make of it!" > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users