[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using NSS
[My, it's been a while. I got pulled away from this and it's been a
busy few months. Now I'm beating my head against it some more.]
I backed up and started over with this. Here is the state of things:
# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
LDAP-Server-Cert u,u,u
CA certificate CTu,u,u
# certutil -d /etc/pki/nssdb -L -n 'CA certificate'
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1000 (0x3e8)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Endoframe CA cert,DC=endoframe,DC=net"
Validity:
Not Before: Tue Jan 17 07:48:20 2012
Not After : Mon Jan 17 07:48:20 2022
Subject: "CN=Endoframe CA cert,DC=endoframe,DC=net"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
[snip]
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
[snip]
Fingerprint (MD5):
[snip]
Fingerprint (SHA1):
[snip]
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
User
Object Signing Flags:
User
# certutil -d /etc/pki/nssdb -L -n 'LDAP-Server-Cert'
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1001 (0x3e9)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Endoframe CA cert,DC=endoframe,DC=net"
Validity:
Not Before: Thu Jan 19 06:13:01 2012
Not After : Wed Jan 19 06:13:01 2022
Subject: "CN=ldap.endoframe.net"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
[snip]
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
[snip]
Fingerprint (MD5):
[snip]
Fingerprint (SHA1):
[snip]
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
Given the above, I generate the cert for the client:
# certutil -d /etc/pki/nssdb -L -n LDAP-Server-Cert -a > /etc/openldap/cacerts/ldap-server-cert.pem
In cn=config.ldif, I have:
olcTLSCACertificatePath: /etc/pki/nssdb
olcTLSCertificateFile: LDAP-Server-Cert
In ldap.conf, I have:
TLS_CACERT /etc/openldap/cacerts/ldap-server-cert.pem
Finally, when I run ldapsearch, I get this error:
# ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net -x -d1
ldap_url_parse_ext(ldaps://ldap.endoframe.net)
ldap_create
ldap_url_parse_ext(ldaps://ldap.endoframe.net:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.endoframe.net:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.0.21:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/openldap/cacerts/ldap-server-cert.pem.
TLS: certificate [CN=Endoframe CA cert,DC=endoframe,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Is there something I need to do to mark the issuer as trusted on the
client? (The client and server are actually the same machine in this
case, FWIW.)
Braden