> Is it possible it is complaining about the CA cert?
Ahem. No, after all, it did name the certificate it was
complaining about.
But I figured out what the problem was. Sometime this
morning it became
apparent that having the clocks synchronized on the AD and
DS servers would
make it easier to read the logs, so I used the
"date" command to change the
time. I still find it difficult to understand some of the
command manuals,
and, assuming it was necessary to include the century and
year as well as the
date and time in the command, I accidentally put in 2006
instead of 2007.
But, you know, if the error message had said, "your
certificate is not valid
yet" or even, "check the date, twit", I might
have resolved this more
quickly. Then again, maybe not.  Thanks
again. -Glenn.
---------- Original Message -----------
From: Richard Megginson <rmeggins redhat.com>
To: "General discussion list for the Fedora Directory
server project."
<fedora-directory-usersredhat.com>
Sent: Tue, 16 Jan 2007 13:12:21 -0700
Subject: Re: [Fedora-directory-users] Back in SSL hell
again!
> Glenn wrote:
> > So I'm just about to finish getting Windows Sync
working between RH
Directory
> > Server 7.1SP3 and Active Directory. The latest
error message in the
passsync
> > log says "insufficient access", so I
create an ACI that gives the
replication
> > manager access to everything, just to see if it
will work. Nope. So I
> > think, maybe I have to restart the Directory
Server. And then it fails
to
> > restart, logging the error message:
> >
> > SSL alert: CERT_VerifyCertificateNow: verify
certificate failed for cert
> > server-cert of family
cn=RSA,cn=encryption,cn=cconfig (Netscape Portable
> > Runtime error -8181 - Peer's Certificate has
expired.)
> >
> Is it possible it is complaining about the CA cert?
> > Yeah, right. Here's a copy of the certificate:
> >
> > [rootourserver alias]# ./certutil -L -d ./ -n
server-cert
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number:
> > 16:43:78:57:00:00:00:00:00:0e
> > Signature Algorithm: PKCS #1 SHA-1 With
RSA Encryption
> > Issuer:
> >
"CN=OURCA,DC=ad,DC=ourshop,DC=edu"
> > Validity:
> > Not Before: Tue Nov 14 22:50:17 2006
> > Not After : Thu Nov 13 22:50:17 2008
> > ...
> >
> > Now, I'll grant you that this little
synchronization exercise FEELS like
it
> > has gone on for more than two years, but according
to the certificate, it
has
> > taken barely two months so far, leaving the
certificate good for another
22
> > months. Once again, the SSL error message seems
to have little to do
with
> > reality.
> >
> > I just restarted the server three hours earlier,
and it worked fine
then.
> > Can anyone suggest what I might try now? Thanks.
-Glenn.
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-usersredhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
> >
------- End of Original Message -------
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|