From owner-freebsd-questions@FreeBSD.ORG Sun Nov 28 18:49:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F413A106564A for ; Sun, 28 Nov 2010 18:49:47 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7EDD08FC0C for ; Sun, 28 Nov 2010 18:49:46 +0000 (UTC) Received: by bwz2 with SMTP id 2so3469615bwz.13 for ; Sun, 28 Nov 2010 10:49:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=nidTXZGLa75+fTKwCZGh1NBYR/JwaLGGrkJiuF3yrqM=; b=vWdsb0wkQrzeK9eRbJHNM3Oo5SLIh0weMaKjHcfrYJeZIFBG2QX62fUEJYSO7/ilKc ukhE06UFLKqwrlj3s1OjoXEh4lw4P0uGV8UN5XfIbXQ6nDtBXPXLUhg/p1jqZWH0nrqD ZlskYSLRoSapEvkqNjGmCoFgCRmkxnfqd1hSs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=nbCi+chPye5UBfmEylld3JhjJjSN/YUwql6vzR05wmZFI9QfTZSiOT0/w81Ml+3CKX vyV7Jsop8RAFOadvhZD/V2C9lfoQ2or2NGU0GbpvMWVp6SnOmdkoOE87ooCBZ3IHgqOm L0HfWLn62+YRfBm9lBpjr6Atuyrgy2B/thgmM= MIME-Version: 1.0 Received: by 10.204.112.69 with SMTP id v5mr2177462bkp.84.1290970184160; Sun, 28 Nov 2010 10:49:44 -0800 (PST) Received: by 10.204.10.72 with HTTP; Sun, 28 Nov 2010 10:49:44 -0800 (PST) In-Reply-To: <4CF29E38.6020305@locolomo.org> References: <4CEE987D.9040008@locolomo.org> <4CF29E38.6020305@locolomo.org> Date: Sun, 28 Nov 2010 13:49:44 -0500 Message-ID: From: bluethundr To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: can't use godaddy SSL cert X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2010 18:49:48 -0000 Hi Eric, Sorry I am clear on that now. I have tried the -h value that matches the one in the cert, but I get the same result, unfortunately: [root@VIRCENT03:~]#ldapsearch -h LBSD2.summitnjhome.com -b "dc=3Dsummitnjhome,dc=3Dcom" -Z -D "cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom= " "(objectclass=3DsudoRole)" -W ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Enter LDAP Password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [root@VIRCENT03:~]#openssl s_client -connect LBSD2.summitnjhome.com:389 -showcerts -CAfile /usr/local/etc/openldap/certs/cacerts/all.crt 10504:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all.c= rt','r') 10504:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 10504:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(00000003) 10504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Thanks again for following up! On Sun, Nov 28, 2010 at 1:23 PM, Erik Norgaard wrot= e: > On 28/11/10 18.51, bluethundr wrote: > >> Yes the hostname is in the CN of the cert file. So I agree that -h is >> not the issue. :) >> [root@VIRCENT03:~]#ldapsearch -h ldap -b "dc=3Dsummitnjhome,dc=3Dcom" -Z >> -D "cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom" "(objectclass=3DsudoRole)" = -W > > Maybe I didn't make myself clear: the host name you use to connect to (-h= ), > in your command line example above, ldap, must be the same as the CN of t= he > server certificate. It is irrelevant if the servers hostname is the same = as > the CN. > > That might be why you get > >> ldap_start_tls: Connect error (-11) >> =A0 =A0 =A0 additional info: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Try > > =A0-h LBSD2.summitnjhome.com > > BR, Erik > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" > --=20 Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3