[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using NSS

On 11/12/2011 09:25 PM, Braden McDaniel wrote:
On Thu, 2011-10-27 at 13:55 -0600, Rich Megginson wrote:
On 10/27/2011 12:05 PM, Braden McDaniel wrote:
On Thu, 2011-10-27 at 08:44 -0600, Rich Megginson wrote:


What is your /etc/openldap/ldap.conf?
That question led me to a bogus setting for TLS_CACERTDIR.  First, I
tried simply commenting the line out, figuring the value of
olcTLSCACertificatePath in cn=config.ldif would be used.
No, the client cannot use cn=config.ldif - that is for the server only.
The server cannot use ldap.conf - that is for the client only.
Okay... With this in mind, I changed ldap.conf to use TLS_CACERT to
point to a .pem file as generated by:

         # certutil -d /etc/pki/nssdb -L -n "endoframe" -a>

That gets me here:

         # ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
         ldap_new_connection 1 1 0
         ldap_connect_to_host: TCP rail:636
         ldap_new_socket: 3
         ldap_prepare_socket: 3
         ldap_connect_to_host: Trying ::1 636
         ldap_pvt_connect: fd: 3 tm: -1 async: 0
         TLS: loaded CA certificate
         file /etc/openldap/cacerts/endoframe.pem.
         TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
         TLS: error: connect - force handshake failure: errno 21 - moznss
         error -5938
         TLS: can't connect: TLS error -5938:Encountered end of file.
         ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Never seen that - I have no idea why you would get an EEXIST at this
point in the code.  I suggest turn on debugging on the server and see
what it thinks is happening.
There were apparently some selinux issues that accounted for the
previous errors.  Once those were resolved, the above search yields this
from the server (run with -d1):

         >>>  slap_listener(ldaps:///)
         connection_get(14): got connid=1000
         connection_read(14): checking for input on id=1000
         TLS: using moznss security dir /etc/pki/nssdb prefix .
         TLS: certificate [CN=Endoframe] is not valid - error -8102:Unknown code ___f 90.
         TLS: error: unable to find and verify server's cert and key for certificate endoframe
         TLS: error: could not initialize moznss security context - error -8102:Unknown code ___f 90
         TLS: can't create ssl handle.
         connection_read(14): TLS accept failure error=-1 id=1000, closing
         connection_close: conn=1000 sd=14

So I screwed up the certificate.  I'm just not sure how.
-8102:Unknown code ___f 90 is SEC_ERROR_INADEQUATE_KEY_USAGE - can you post the contents of your certificate?

certutil -d /etc/pki/nssdb -L -n CN=Endoframe

then delete/obscure any sensitive information
then post the cert