Hi everybody, If you remember me I''ve got some problem with SSL in my sync agreement : https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00000.html https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00024.html I think I have found what''s wrong in my SSL set up. I tried this command to verify if ssl is enabled in FDS : ldapsearch -x -ZZ ''(uid=testuser)'' I check the access log, and I''ve got this message : EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" RESULT err=0 tag=120 nentries=0 etime=0DISCONNECT fd=67 closed - Peer does not recognize and trust the CA that issued your certific... As I said before I set up SSL using the second script from the FDS wiki page. So my question is what can I do now : - Can I fix this ? - Should I do a full set up of SSL ? Thanks _________________________________________________________________ Installez gratuitement les 20 émôticones Windows Live Messenger les plus fous ! Cliquez ici ! http://www.emoticones-messenger.fr/
Ryan Braun [ADS]
2008-Sep-12 14:03 UTC
Re: [Fedora-directory-users] CA certificate trouble
On Friday 12 September 2008 08:44, steve nguyen wrote:> Hi everybody, > > If you remember me I''ve got some problem with SSL in my sync agreement : > > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00 >000.html > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00 >024.html > > I think I have found what''s wrong in my SSL set up. > I tried this command to verify if ssl is enabled in FDS : ldapsearch -x -ZZ > ''(uid=testuser)'' I check the access log, and I''ve got this message : > EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > RESULT err=0 tag=120 nentries=0 etime=0DISCONNECT fd=67 closed - Peer does > not recognize and trust the CA that issued your certific... > > As I said before I set up SSL using the second script from the FDS wiki > page. So my question is what can I do now : > - Can I fix this ? > - Should I do a full set up of SSL ? > > ThanksI''ve been working on an all-in-one ssl management perl script for fds. It''s been working over here but I''m sure there are some quirks in it. Make sure you edit /etc/fdstools/ssl.conf to point to your correct SEC_DIR and INSTANCE values. Then just move out your old $SEC_DIR/cert8.db key3.db and secmod.db files to some backup directory and run fdssl.pl -h or -e for examples on how to use it. Let me know how it works for you. Ryan
Thank you I will try it monday at work And I will give you some feedback ! Steve> From: ryan.braun@ec.gc.ca > To: fedora-directory-users@redhat.com > Subject: Re: [Fedora-directory-users] CA certificate trouble > Date: Fri, 12 Sep 2008 14:03:53 +0000 >> > I''ve been working on an all-in-one ssl management perl script for fds. It''s > been working over here but I''m sure there are some quirks in it. > > Make sure you edit /etc/fdstools/ssl.conf to point to your correct SEC_DIR and > INSTANCE values. Then just move out your old $SEC_DIR/cert8.db key3.db and > secmod.db files to some backup directory and run fdssl.pl -h or -e for > examples on how to use it. > > Let me know how it works for you. > > Ryan_________________________________________________________________ Téléphonez gratuitement à tous vos proches avec Windows Live Messenger ! Téléchargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp
Hi, I tried your script after doing all the things you suggest. And I got this error message after running the script : Can''t locate Sys/Hostname/Long.pm in @INC (@INC contains: /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl .) at ./fdsssl.pl line 9.BEGIN failed--compilation aborted at ./fdsssl.pl line 9. Do you have you an idea what''s wrong ? Should I edit a conf file or install a package to correct this ? thanks> From: ryan.braun@ec.gc.ca> To: fedora-directory-users@redhat.com> Subject: Re: [Fedora-directory-users] CA certificate trouble> Date: Fri, 12 Sep 2008 14:03:53 +0000> > On Friday 12 September 2008 08:44, steve nguyen wrote:> > Hi everybody,> >> > If you remember me I''ve got some problem with SSL in my sync agreement :> >> > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00> >000.html> > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00> >024.html> >> > I think I have found what''s wrong in my SSL set up.> > I tried this command to verify if ssl is enabled in FDS : ldapsearch -x -ZZ> > ''(uid=testuser)'' I check the access log, and I''ve got this message :> > EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"> > RESULT err=0 tag=120 nentries=0 etime=0DISCONNECT fd=67 closed - Peer does> > not recognize and trust the CA that issued your certific...> >> > As I said before I set up SSL using the second script from the FDS wiki> > page. So my question is what can I do now :> > - Can I fix this ?> > - Should I do a full set up of SSL ?> >> > Thanks> > > I''ve been working on an all-in-one ssl management perl script for fds. It''s > been working over here but I''m sure there are some quirks in it. > > Make sure you edit /etc/fdstools/ssl.conf to point to your correct SEC_DIR and > INSTANCE values. Then just move out your old $SEC_DIR/cert8.db key3.db and > secmod.db files to some backup directory and run fdssl.pl -h or -e for > examples on how to use it.> > Let me know how it works for you.> > Ryan _________________________________________________________________ Installez gratuitement les 20 émôticones Windows Live Messenger les plus fous ! Cliquez ici ! http://www.emoticones-messenger.fr/