Re: moznss error -8172

Thu, 20 Jun 2013 18:37:31 -0700 

On 06/20/2013 05:16 PM, Robert Relyea wrote:

On 06/20/2013 02:56 PM, Rodney Simioni wrote:

I'm trying to setup LDAP/SSL/TLS. Somebody told me that PKCS is a moznss
issue and I should ask this question with you guys and not the openssl
group.


What OS are you running?  I does look like you are using NSS..



TLS: certdb config: configDir='/etc/openldap/cacerts/'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly

TLS: cannot open certdb '/etc/openldap/cacerts/', error -8018:Unknown
PKCS #11 error.

Here it looks like it's trying to open NSS databases located in
/etc/openldap/cacerts. Since it doesn't actually fail here, I presume
that it's now falling back to something else, so I don't think this is
necessarily your problem.



Right.  Since TLS_CACERTDIR (or similar) is specified, OpenLDAP attempts 
to open that as an NSS key/cert db directory, and falls back to PEM (below).




TLS: loaded CA certificate file /etc/openldap/cacerts//5e5a5bcb.0 from
CA certificate directory /etc/openldap/cacerts/.

I'm guessing it using libpem here to load the openldap certificate. It
seems to indicate that this was successful.


Right.



TLS: certificate
[E=s...@stuff.com,CN=fl1-lsh99apa007.securesites.com,OU=shit,O=Verio,L=B
oca,ST=Florida,C=US] is not valid - error -8172:Peer's certificate
issuer has been marked as not trusted by the user..

TLS: error: connect - force handshake failure: errno 0 - moznss error
-8172

TLS: can't connect: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user..

ldap_err2string

ldap_start_tls: Connect error (-11)

         additional info: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user.

This means that the given cert wasn't signed by any trusted certificate.
This could be because the certificate is was not found in
/etc/openldap/cacerts/53515bcb.0, or that the libpem decided not to
trust the cert found in this location.



Make sure /etc/openldap/cacerts/53515bcb.0 is or has the CA cert of the 
CA that issued 
E=s...@stuff.com,CN=fl1-lsh99apa007.securesites.com,OU=shit,O=Verio,L=Boca,ST=Florida,C=US





Any help will be greatly appreciated.


I'm guessing that you are running on some version of RHEL or Fedora. Can
you say which one?

Thanks,

bob



Rod







--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to