I just installed a new ssl certificate using pk12util. I restarted my dirsrv, and picked the new cert in the dropdown menu under the encryption tab. I restarted dirsrv to make it take affect. When I did this, I found that the root certificate was not in redhats/openssls ca-bundle. I tried importing the intermediate certificate, and I think I just made the problem worse. right now im getting the following. SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert rhds.example.com - Comodo CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer''s Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] - SSL failure: None of the cipher are valid Now my directory is down completely. How can I get it to start up without SSL so that I can fix the problem?
Ryan Braun [ADS]
2009-Jul-08 18:50 UTC
Re: [389-users] Recover after installing a bad cert.
On July 8, 2009 06:19:55 pm Dumbo Q wrote:> I just installed a new ssl certificate using pk12util. I restarted my > dirsrv, and picked the new cert in the dropdown menu under the encryption > tab. I restarted dirsrv to make it take affect. When I did this, I found > that the root certificate was not in redhats/openssls ca-bundle. I tried > importing the intermediate certificate, and I think I just made the problem > worse. > > right now im getting the following. > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > rhds.example.com - Comodo CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > Peer''s Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] > - SSL failure: None of the cipher are valid > > > Now my directory is down completely. How can I get it to start up without > SSL so that I can fix the problem?Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif then edit that file and look for nsslapd-security: on change to nsslapd-security: off save file, restart service and ssl should be turned off. Keep in mind whatever caused the ssl config to puke in the first place is still there :) Ryan
Dumbo Q wrote:> I just installed a new ssl certificate using pk12util. I restarted my > dirsrv, and picked the new cert in the dropdown menu under the > encryption tab. I restarted dirsrv to make it take affect. When I > did this, I found that the root certificate was not in > redhats/openssls ca-bundle. I tried importing the intermediate > certificate, and I think I just made the problem worse. > > right now im getting the following. > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for > cert rhds.example.com - Comodo CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 > - Peer''s Certificate issuer is not recognized.) > [08/Jul/2009:14:18:04 -0400] - SSL failure: None of the cipher are valid > > > Now my directory is down completely. How can I get it to start up > without SSL so that I can fix the problem?The default list of approved root CAs are in a shared library called libnssckbi.so - try this cd /etc/dirsrv/slapd-yourinstance ln -s /usr/lib/libnssckbi.so> > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Thanks that did it.
I just can''t seem to get this certificate working. Here is the most
recent way that i have tried.
cat bundle.crt >> new.crt ## bundle, being the chain certificates
provided by the CA
cat rhds.crt >> new.crt ## rhds being the actual cert provided by the
CA
openssl verify new.crt ## turned out OK
openssl pkcs12 -export -in new.crt -inkey rhds.example.com.key -out
rhds.example.com-PSSL.p12
pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d .
certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
rhds.example.com - Comodo CA Limited u,u,u
PositiveSSL CA - The USERTRUST Network ,,
UTN-USERFirst-Hardware - AddTrust AB ,,
Still the same error when i try to use this cert. Am I doing something wrong?
________________________________
From: Ryan Braun [ADS] <ryan.braun@ec.gc.ca>
To: fedora-directory-users@redhat.com
Cc: Dumbo Q <dumboq@yahoo.com>
Sent: Wednesday, July 8, 2009 2:50:10 PM
Subject: Re: [389-users] Recover after installing a bad cert.
On July 8, 2009 06:19:55 pm Dumbo Q wrote:> I just installed a new ssl certificate using pk12util. I restarted my
> dirsrv, and picked the new cert in the dropdown menu under the encryption
> tab. I restarted dirsrv to make it take affect. When I did this, I found
> that the root certificate was not in redhats/openssls ca-bundle. I tried
> importing the intermediate certificate, and I think I just made the problem
> worse.
>
> right now im getting the following.
> SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
> rhds.example.com - Comodo CA Limited of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
> Peer''s Certificate issuer is not recognized.)
[08/Jul/2009:14:18:04 -0400]
> - SSL failure: None of the cipher are valid
>
>
> Now my directory is down completely. How can I get it to start up without
> SSL so that I can fix the problem?
Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif
then edit that file and look for
nsslapd-security: on
change to
nsslapd-security: off
save file, restart service and ssl should be turned off. Keep in mind
whatever caused the ssl config to puke in the first place is still there :)
Ryan
Of course, it would help if i trusted the intermediate cert.
certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust
AB"
certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST
Network"
After doing this I tried an ldapsearch -H ldaps://....
ldapsearch worked with no problem.
My ldap client "Jxplorer" could not connect however. It complained
with the following..
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
Invalid Server Certificate: server certificate could not be verified, and the CA
certificate is missing from the certificate chain.
A partial success i guess.
________________________________
From: Dumbo Q <dumboq@yahoo.com>
To: Ryan Braun [ADS] <ryan.braun@ec.gc.ca>;
fedora-directory-users@redhat.com
Sent: Wednesday, July 8, 2009 4:57:49 PM
Subject: Re: [389-users] Recover after installing a bad cert.
Thanks that did it.
I just can''t seem to get this certificate working. Here is the most
recent way that i have tried.
cat bundle.crt >> new.crt ## bundle, being the chain certificates
provided by the CA
cat rhds.crt >> new.crt ## rhds being the actual cert provided by the
CA
openssl verify new.crt ## turned out OK
openssl pkcs12 -export -in new.crt -inkey rhds.example.com.key -out
rhds.example.com-PSSL.p12
pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d .
certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
rhds.example.com - Comodo CA Limited u,u,u
PositiveSSL CA - The USERTRUST Network ,,
UTN-USERFirst-Hardware - AddTrust AB ,,
Still the same error when i try to use this cert. Am I doing something wrong?
________________________________
From: Ryan Braun [ADS] <ryan.braun@ec.gc.ca>
To: fedora-directory-users@redhat.com
Cc: Dumbo Q <dumboq@yahoo.com>
Sent: Wednesday, July 8, 2009 2:50:10 PM
Subject: Re: [389-users] Recover after installing a bad cert.
On July 8, 2009 06:19:55 pm Dumbo Q wrote:> I just installed a new ssl certificate using pk12util. I restarted my
> dirsrv, and picked the new cert in the dropdown menu under the encryption
> tab. I restarted dirsrv to make it take affect. When I did this, I found
> that the root certificate was not in redhats/openssls ca-bundle. I tried
> importing the intermediate certificate, and I think I just made the problem
> worse.
>
> right now im getting the following.
> SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert
> rhds.example.com - Comodo CA Limited of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
> Peer''s Certificate issuer is not recognized.)
[08/Jul/2009:14:18:04 -0400]
> - SSL failure: None of the cipher are valid
>
>
> Now my directory is down completely. How can I get it to start up without
> SSL so that I can fix the problem?
Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif
then edit that file and look for
nsslapd-security: on
change to
nsslapd-security: off
save file, restart service and ssl should be turned off. Keep in mind
whatever caused the ssl config to puke in the first place is still there :)
Ryan
Dumbo Q wrote:> Of course, it would help if i trusted the intermediate cert. > certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB" > certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network" > > > After doing this I tried an ldapsearch -H ldaps://.... > ldapsearch worked with no problem. > My ldap client "Jxplorer" could not connect however. It complained > with the following.. > javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: Invalid Server Certificate: > server certificate could not be verified, and the CA certificate is > missing from the certificate chain. > > A partial success i guess.Does Jxplorer have the CA cert?> > ------------------------------------------------------------------------ > *From:* Dumbo Q <dumboq@yahoo.com> > *To:* Ryan Braun [ADS] <ryan.braun@ec.gc.ca>; > fedora-directory-users@redhat.com > *Sent:* Wednesday, July 8, 2009 4:57:49 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > Thanks that did it. > > I just can''t seem to get this certificate working. Here is the most > recent way that i have tried. > cat bundle.crt >> new.crt ## bundle, being the chain certificates > provided by the CA > cat rhds.crt >> new.crt ## rhds being the actual cert provided by > the CA > openssl verify new.crt ## turned out OK > > openssl pkcs12 -export -in new.crt -inkey rhds.example.com > <http://rhds.example.com.ke>.key -out rhds.example.com-PSSL.p12 > > pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d . > certutil -L -d . > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > > rhds.example.com <http://rhds.example.com> - Comodo CA > Limited u,u,u > PositiveSSL CA - The USERTRUST Network ,, > UTN-USERFirst-Hardware - AddTrust AB ,, > > > Still the same error when i try to use this cert. Am I doing > something wrong? > > > > ------------------------------------------------------------------------ > *From:* Ryan Braun [ADS] <ryan.braun@ec.gc.ca> > *To:* fedora-directory-users@redhat.com > *Cc:* Dumbo Q <dumboq@yahoo.com> > *Sent:* Wednesday, July 8, 2009 2:50:10 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > On July 8, 2009 06:19:55 pm Dumbo Q wrote: > > I just installed a new ssl certificate using pk12util. I restarted my > > dirsrv, and picked the new cert in the dropdown menu under the > encryption > > tab. I restarted dirsrv to make it take affect. When I did this, I > found > > that the root certificate was not in redhats/openssls ca-bundle. I > tried > > importing the intermediate certificate, and I think I just made the > problem > > worse. > > > > right now im getting the following. > > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for > cert > > rhds.example.com <http://rhds.example.com> - Comodo CA Limited of family > > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > > Peer''s Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 > -0400] > > - SSL failure: None of the cipher are valid > > > > > > Now my directory is down completely. How can I get it to start up > without > > SSL so that I can fix the problem? > > Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif > > then edit that file and look for > > nsslapd-security: on > > change to > > nsslapd-security: off > > save file, restart service and ssl should be turned off. Keep in mind > whatever caused the ssl config to puke in the first place is still > there :) > > Ryan > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
My understanding is that I should not need to do anything on the client to make it work. Please note that this is a valid certificate from a real CA. The use of an intermediate certificate (although very annoying) is sometimes used, and is normal. Although, the only other company i''ve used were i needed to use an intermediate cert was through verisign. I think i may have mistakenly thought that jxplorer would use the same source of trusted CA''s as the os. Now that i''m looking into some of the settings, I see it actually only has a handful of CA certs. ________________________________ From: Rich Megginson <rmeggins@redhat.com> To: General discussion list for the 389 Directory server project. <fedora-directory-users@redhat.com> Sent: Wednesday, July 8, 2009 10:11:26 PM Subject: Re: [389-users] Recover after installing a bad cert. Dumbo Q wrote:> Of course, it would help if i trusted the intermediate cert. > certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB" > certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network" > > > After doing this I tried an ldapsearch -H ldaps://.... > ldapsearch worked with no problem. > My ldap client "Jxplorer" could not connect however. It complained with the following.. > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. > > A partial success i guess.Does Jxplorer have the CA cert?> > ------------------------------------------------------------------------ > *From:* Dumbo Q <dumboq@yahoo.com> > *To:* Ryan Braun [ADS] <ryan.braun@ec.gc.ca>; fedora-directory-users@redhat.com > *Sent:* Wednesday, July 8, 2009 4:57:49 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > Thanks that did it. > > I just can''t seem to get this certificate working. Here is the most recent way that i have tried. > cat bundle.crt >> new.crt ## bundle, being the chain certificates provided by the CA > cat rhds.crt >> new.crt ## rhds being the actual cert provided by the CA > openssl verify new.crt ## turned out OK > > openssl pkcs12 -export -in new.crt -inkey rhds.example.com<http://rhds.example.com.ke>.key -out rhds.example.com-PSSL.p12 > > pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d . > certutil -L -d . > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > > rhds.example.com <http://rhds.example.com> - Comodo CA Limited u,u,u > PositiveSSL CA - The USERTRUST Network ,, > UTN-USERFirst-Hardware - AddTrust AB ,, > > > Still the same error when i try to use this cert. Am I doing something wrong? > > > > ------------------------------------------------------------------------ > *From:* Ryan Braun [ADS] <ryan.braun@ec.gc.ca> > *To:* fedora-directory-users@redhat.com > *Cc:* Dumbo Q <dumboq@yahoo.com> > *Sent:* Wednesday, July 8, 2009 2:50:10 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > On July 8, 2009 06:19:55 pm Dumbo Q wrote: > > I just installed a new ssl certificate using pk12util. I restarted my > > dirsrv, and picked the new cert in the dropdown menu under the encryption > > tab. I restarted dirsrv to make it take affect. When I did this, I found > > that the root certificate was not in redhats/openssls ca-bundle. I tried > > importing the intermediate certificate, and I think I just made the problem > > worse. > > > > right now im getting the following. > > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > > rhds.example.com <http://rhds.example.com> - Comodo CA Limited of family > > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > > Peer''s Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] > > - SSL failure: None of the cipher are valid > > > > > > Now my directory is down completely. How can I get it to start up without > > SSL so that I can fix the problem? > > Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif > > then edit that file and look for > > nsslapd-security: on > > change to > > nsslapd-security: off > > save file, restart service and ssl should be turned off. Keep in mind > whatever caused the ssl config to puke in the first place is still there :) > > Ryan > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >