On 06/20/2013 02:56 PM, Rodney Simioni wrote:
I'm trying to setup LDAP/SSL/TLS. Somebody told me that PKCS is a moznss
issue and I should ask this question with you guys and not the openssl
group.
What OS are you running? I does look like you are using NSS..
TLS: certdb config: configDir='/etc/openldap/cacerts/'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts/', error -8018:Unknown
PKCS #11 error.
Here it looks like it's trying to open NSS databases located in
/etc/openldap/cacerts. Since it doesn't actually fail here, I presume
that it's now falling back to something else, so I don't think this is
necessarily your problem.
TLS: loaded CA certificate file /etc/openldap/cacerts//5e5a5bcb.0 from
CA certificate directory /etc/openldap/cacerts/.
I'm guessing it using libpem here to load the openldap certificate. It
seems to indicate that this was successful.
TLS: certificate
[E=s...@stuff.com,CN=fl1-lsh99apa007.securesites.com,OU=shit,O=Verio,L=B
oca,ST=Florida,C=US] is not valid - error -8172:Peer's certificate
issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error
-8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user..
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user.
This means that the given cert wasn't signed by any trusted certificate.
This could be because the certificate is was not found in
/etc/openldap/cacerts/53515bcb.0, or that the libpem decided not to
trust the cert found in this location.
Any help will be greatly appreciated.
I'm guessing that you are running on some version of RHEL or Fedora. Can
you say which one?
Thanks,
bob
Rod
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
