Date: Sun, 28 Nov 2010 14:45:30 -0500 From: bluethundr <bluethundr@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: can't use godaddy SSL cert Message-ID: <AANLkTimtgtW1zN19Lb5K9WtMxP-h23Z750gK_ygNn=r3@mail.gmail.com> In-Reply-To: <AANLkTi==WjfV7vhmirigE6wuG6qr%2BSDuhFAPNhZGTh4K@mail.gmail.com> References: <AANLkTi=N7Q-dYV5=kmzeSMHgJBuXWMLp7rvLnJMd_n-a@mail.gmail.com> <4CEE987D.9040008@locolomo.org> <AANLkTi=OoiqyWGYjZHRETR833_gvKD0rwbyASSeAQyU8@mail.gmail.com> <4CF29E38.6020305@locolomo.org> <AANLkTi==WjfV7vhmirigE6wuG6qr%2BSDuhFAPNhZGTh4K@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have also I have revised my /etc/ldap.conf on the client to read:
uri ldaps://LBSD2.summitnjhome.com/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password crypt
I have also tried using
uri ldap://LBSD2.summitnjhome.com/
with the same results as before. thanks again.
On Sun, Nov 28, 2010 at 1:49 PM, bluethundr <bluethundr@gmail.com> wrote:
> Hi Eric,
>
> =A0Sorry I am clear on that now. I have tried the -h value that matches
> the one in the cert, but I get the same result, unfortunately:
>
> =A0[root@VIRCENT03:~]#ldapsearch -h LBSD2.summitnjhome.com -b
> "dc=3Dsummitnjhome,dc=3Dcom" -Z -D "cn=3DManager,dc=3Dsummitnjhome,dc=3Dc=
om"
> "(objectclass=3DsudoRole)" -W
> ldap_start_tls: Connect error (-11)
> =A0 =A0 =A0 =A0additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Enter LDAP Password:
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> =A0 =A0 =A0 =A0additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> [root@VIRCENT03:~]#openssl s_client -connect
> LBSD2.summitnjhome.com:389 -showcerts -CAfile
> /usr/local/etc/openldap/certs/cacerts/all.crt
> 10504:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all=
.crt','r')
> 10504:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:12=
5:
> 10504:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> CONNECTED(00000003)
> 10504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
> Thanks again for following up!
>
>
>
> On Sun, Nov 28, 2010 at 1:23 PM, Erik Norgaard <norgaard@locolomo.org> wr=
ote:
>> On 28/11/10 18.51, bluethundr wrote:
>>
>>> Yes the hostname is in the CN of the cert file. So I agree that -h is
>>> not the issue. :)
>>> [root@VIRCENT03:~]#ldapsearch -h ldap -b "dc=3Dsummitnjhome,dc=3Dcom" -=
Z
>>> -D "cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom" "(objectclass=3DsudoRole)"=
-W
>>
>> Maybe I didn't make myself clear: the host name you use to connect to (-=
h),
>> in your command line example above, ldap, must be the same as the CN of =
the
>> server certificate. It is irrelevant if the servers hostname is the same=
as
>> the CN.
>>
>> That might be why you get
>>
>>> ldap_start_tls: Connect error (-11)
>>> =A0 =A0 =A0 additional info: error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>> Try
>>
>> =A0-h LBSD2.summitnjhome.com
>>
>> BR, Erik
>>
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.=
org"
>>
>
>
>
> --
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
>
--=20
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimtgtW1zN19Lb5K9WtMxP-h23Z750gK_ygNn=r3>