From owner-freebsd-questions@FreeBSD.ORG Sun Nov 28 19:45:33 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E2871065672 for ; Sun, 28 Nov 2010 19:45:33 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id EBB4A8FC14 for ; Sun, 28 Nov 2010 19:45:32 +0000 (UTC) Received: by bwz2 with SMTP id 2so3500230bwz.13 for ; Sun, 28 Nov 2010 11:45:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Dh43/S2b59BStd7gJedMcuJYSbfaYmnieMGGs6IEA7c=; b=XejOxFthLsWJsfftxVrw8Xnz0k++BbwijihBRuVkqsZ51tb/+V3of59sHC6ypyXkNe mZEWdnR8W6noCDlwgUO1xSi4iEeQvy3mi6EHYDJlWBaQVApzhKm3vkCYiFVZR3yCkWzU gktzbuSXzku/Q54NylEz0wsykbJCjFDYxuEqc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=iT2hiBP2yaEeIAijiZJkTzrOZOwyuiMY7/DaZVsb4uTqi/Qw2yFYpuyJPPbvWBBNdy Xc7kWdzwM9krOTHiMT0aI8cAvDAJNNnNy5lIebR45wgFgg0sV2FV0WiFdmYoLe3xdC9X zmHM5wL1h5NgmixCOktFDgesqVVRd2CX61p3w= MIME-Version: 1.0 Received: by 10.204.116.201 with SMTP id n9mr4059838bkq.138.1290973530935; Sun, 28 Nov 2010 11:45:30 -0800 (PST) Received: by 10.204.10.72 with HTTP; Sun, 28 Nov 2010 11:45:30 -0800 (PST) In-Reply-To: References: <4CEE987D.9040008@locolomo.org> <4CF29E38.6020305@locolomo.org> Date: Sun, 28 Nov 2010 14:45:30 -0500 Message-ID: From: bluethundr To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: can't use godaddy SSL cert X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2010 19:45:33 -0000 I have also I have revised my /etc/ldap.conf on the client to read: uri ldaps://LBSD2.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt I have also tried using uri ldap://LBSD2.summitnjhome.com/ with the same results as before. thanks again. On Sun, Nov 28, 2010 at 1:49 PM, bluethundr wrote: > Hi Eric, > > =A0Sorry I am clear on that now. I have tried the -h value that matches > the one in the cert, but I get the same result, unfortunately: > > =A0[root@VIRCENT03:~]#ldapsearch -h LBSD2.summitnjhome.com -b > "dc=3Dsummitnjhome,dc=3Dcom" -Z -D "cn=3DManager,dc=3Dsummitnjhome,dc=3Dc= om" > "(objectclass=3DsudoRole)" -W > ldap_start_tls: Connect error (-11) > =A0 =A0 =A0 =A0additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > Enter LDAP Password: > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > =A0 =A0 =A0 =A0additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > [root@VIRCENT03:~]#openssl s_client -connect > LBSD2.summitnjhome.com:389 -showcerts -CAfile > /usr/local/etc/openldap/certs/cacerts/all.crt > 10504:error:02001002:system library:fopen:No such file or > directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all= .crt','r') > 10504:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:12= 5: > 10504:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:279: > CONNECTED(00000003) > 10504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > Thanks again for following up! > > > > On Sun, Nov 28, 2010 at 1:23 PM, Erik Norgaard wr= ote: >> On 28/11/10 18.51, bluethundr wrote: >> >>> Yes the hostname is in the CN of the cert file. So I agree that -h is >>> not the issue. :) >>> [root@VIRCENT03:~]#ldapsearch -h ldap -b "dc=3Dsummitnjhome,dc=3Dcom" -= Z >>> -D "cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom" "(objectclass=3DsudoRole)"= -W >> >> Maybe I didn't make myself clear: the host name you use to connect to (-= h), >> in your command line example above, ldap, must be the same as the CN of = the >> server certificate. It is irrelevant if the servers hostname is the same= as >> the CN. >> >> That might be why you get >> >>> ldap_start_tls: Connect error (-11) >>> =A0 =A0 =A0 additional info: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> >> Try >> >> =A0-h LBSD2.summitnjhome.com >> >> BR, Erik >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >> > > > > -- > Here's my RSA Public key: > gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 > --=20 Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3