TLS trace: SSL3 alert write:fatal:unknown CA

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I blew away the server
and installed a new one, then I used 
>>>>>>>>> the setupssl.sh script
to setup SSL. The script completed 
>>>>>>>>> successfully, and the
server is listening on port 636, but I'm 
>>>>>>>>> back to a familiar
error:
>>>>>>>>>
>>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>>
>>>>>>>>> TLS trace:
SSL_connect:SSLv3 read server hello A
>>>>>>>>> TLS certificate
verification: depth: 1, err: 19, subject: 
>>>>>>>>> /CN=CAcert, issuer:
/CN=CAcert
>>>>>>>>> TLS certificate
verification: Error, self signed certificate 
>>>>>>>>> in certificate chain
>>>>>>>>> tls_write: want=7,
written=7
>>>>>>>>>  0000:  15 03 01 00 02
02 30                               
>>>>>>>>> ......0          TLS
trace: SSL3 alert write:fatal:unknown CA
>>>>>>>>> TLS trace:
SSL_connect:error in SSLv3 read server certificate B
>>>>>>>>> TLS trace:
SSL_connect:error in SSLv3 read server certificate B
>>>>>>>>> TLS: can't connect.
>>>>>>>>> ldap_perror
>>>>>>>>> ldap_start_tls: Connect
error (-11)
>>>>>>>>>        additional info:
error:14090086:SSL 
>>>>>>>>>
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
>>>>>>>>>
>>>>>>>>> Shouldn't CN=CAcert be
cn=fqdn?
>>>>>>>> No, no hostname validation
is done on the CA cert, only on the 
>>>>>>>> LDAP server cert.
>>>>>>>>
>>>>>>>> Did you configure openldap
to use the new CA cert?  
>>>>>>>> http://directory.fedora.redhat.com/wiki/
Howto:SSL#Configure_LDAP_clients 
>>>>>>>>
>>>>>>>
>>>>>>> Yes.
>>>>>>>
>>>>>>> This is what the access log
says
>>>>>>>
>>>>>>> [02/Jun/2006:14:58:41 -0700]
conn=2 op=462 RESULT err=0 tag=101 
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:14:58:47 -0700]
conn=124 fd=68 slot=68 connection 
>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>> [02/Jun/2006:14:58:47 -0700]
conn=124 op=0 EXT 
>>>>>>>
oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>> [02/Jun/2006:14:58:47 -0700]
conn=124 op=0 RESULT err=0 tag=120 
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:14:58:47 -0700]
conn=124 op=-1 fd=68 closed - Peer 
>>>>>>> does not recognize and trust
the CA that issued your certificate.
>>>>>>
>>>>>> This means that the CA cert that
/etc/openldap/ldap.conf is using 
>>>>>> is not the cert of the CA that
issued the Fedora DS server cert.
>>>>> OK.  I had the old cert in there.
>>>>>
>>>>> I followed the instructions and did a
>>>>>
>>>>> cp cacert.asc
/etc/openldap/cacerts/`openssl x509 -noout -hash -in 
>>>>> cacert.asc`.0
>>>>>
>>>>> and set TLS_CACERT to
/etc/openldap/cacerts/cacert.asc. I still 
>>>>> get the same error
>>>> But does the file
/etc/openldap/cacerts/cacert.asc exist?  If not, 
>>>> you need to copy that file in there.  I
guess the docs are not 
>>>> explicit enough - if you use TLS_CACERTDIR,
you must have the file 
>>>> <hash>.0 in the cacerts directory. 
If you use TLS_CACERT, you must 
>>>> have the file
/etc/openldap/cacerts/cacert.asc.
>>>
>>> It does exist, and I'm using TLS_CACERT 
>>> /etc/openldap/cacerts/cacert.asc
>>>
>>> Same error.
>>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68
slot=68 connection from 
>>> 127.0.0.1 to 127.0.0.1
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0
RESULT err=0 tag=120 
>>> nentries=0 etime=0
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1
fd=68 closed - Peer does 
>>> not recognize and trust the CA that issued your
certificate.
>>>
>>> I also put the same info in /etc/ldap.conf
>> That file is only used by pam_ldap and nss_ldap, so
it shouldn't matter.
>>>
>>> Also, here are the certs
>>>
>>> ../shared/bin/certutil -L -P slapd-server- -d .
>>> CA certificate                                 
             CTu,u,u
>>> server-cert                                    
             u,u,u
>>> Server-Cert                                    
             u,u,u
>>>
>>> Does that look right?
>> Try this:
>> ../shared/bin/certutil -L -P slapd-server- -d . -n
"CA certificate" 
>> -a > mycacert.asc
>>
>> diff mycacert.asc /etc/openldap/cacerts/cacert.asc
>>
>> If they are the same, then CA certificate is not
the cert of the CA 
>> that issued Server-Cert.
>
> They are the same.
>
> I'm not sure that I understand.
I'm not sure I understand what's going on either, but the
message "Peer 
does not recognize and trust the CA that issued your
certificate." means 
that ldapsearch did not verify your LDAP server certificate 
(Server-Cert).  This is usually due to one or both of the
following:
1) The value of the cn attribute in the leftmost RDN of the
subjectDN in 
the LDAP server cert is not the fqdn of the LDAP server
host, or the 
client cannot resolve it.
2) The /etc/openldap/cacerts/cacert.asc CA cert is not the
cert of the 
CA that issued the LDAP server certificate (Server-Cert)

I'm not sure which one it is.  You might try dumping out
the server 
certificate (../shared/bin/certutil -L -P slapd-server- -d .
-n 
"Server-Cert" -a > fdscert.pem) and using
openssl to verify the cert e.g.
openssl verify -CAfile /etc/openldap/cacerts/cacert.asc
fdscert.pem

If you get an error, this means that the CA whose cert is 
/etc/openldap/cacerts/cacert.asc did not issue the fedora ds
server 
certificate.
>
>>>
>>>>>
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
fd=67 slot=67 connection from 
>>>>> 127.0.0.1 to 127.0.0.1
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
op=0 EXT 
>>>>>
oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
op=0 RESULT err=0 tag=120 
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
op=-1 fd=67 closed - Peer 
>>>>> does not recognize and trust the CA
that issued your certificate.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> This is all that the
errors log says
>>>>>>>> How about the access log?
>>>>>>>>>
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for 
>>>>>>>>> cipher AES in backend
userRoot, attempting to create one...
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES successfully 
>>>>>>>>> generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for 
>>>>>>>>> cipher 3DES in backend
userRoot, attempting to create one...
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES 
>>>>>>>>> successfully generated
and stored
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for 
>>>>>>>>> cipher AES in backend
NetscapeRoot, attempting to create one...
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES successfully 
>>>>>>>>> generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for 
>>>>>>>>> cipher 3DES in backend
NetscapeRoot, attempting to create one...
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES 
>>>>>>>>> successfully generated
and stored
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - slapd started.  Listening on 
>>>>>>>>> All Interfaces port 389
for LDAP requests
>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Listening on All Interfaces 
>>>>>>>>> port 636 for LDAPS
requests
>>>>>>>>>
>>>>>>>>> Thanks for your help
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>> OK, now I have
a different error.
>>>>>>>>>>>
>>>>>>>>>>> I ran
../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i 
>>>>>>>>>>>
/etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>
>>>>>>>>>>> and
>>>>>>>>>>>
>>>>>>>>>>> ln -s
ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>>>>>>>>>
>>>>>>>>>>> Now, I get this
error:
>>>>>>>>>>>
>>>>>>>>>>> TLS: can't
connect.
>>>>>>>>>>> ldap_perror
>>>>>>>>>>> ldap_start_tls:
Connect error (-11)
>>>>>>>>>>>       
additional info: Start TLS request accepted.Server 
>>>>>>>>>>> willing to
negotiate SSL.
>>>>>>>>>> What OS and version
are you running?  RHEL3 
>>>>>>>>>>
/etc/openldap/ldap.conf does not like the TLS_CACERTDIR 
>>>>>>>>>> directive - you
must use the TLS_CACERT directive with the 
>>>>>>>>>> full path and
filename of the cacert.pem file (e.g. 
>>>>>>>>>>
/etc/openldap/cacerts/cacert.pem).  What does it say in the 
>>>>>>>>>> fedora ds access
and error log for this request?
>>>>>>>>>>
>>>>>>>>>> For a successful
startTLS request with ldapsearch, you should 
>>>>>>>>>> see something like
the following in your fedora ds access log:
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection 
>>>>>>>>>> from 127.0.0.1 to
127.0.0.1
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>>>>>>>>
oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 
>>>>>>>>>> tag=120 nentries=0
etime=0
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" 
>>>>>>>>>> method=128
version=3
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
tag=97 
>>>>>>>>>> nentries=0 etime=0
dn=""
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>>>>>>>>
base="dc=example,dc=com" scope=0
filter="(objectClass=*)" 
>>>>>>>>>> attrs=ALL
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 
>>>>>>>>>> tag=101 nentries=1
etime=0
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>> Center for
X-Ray Optics
>>>>>>>>>>> Lawrence
Berkeley National Laboratory
>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Richard
Megginson wrote:
>>>>>>>>>>>> Jeff Gamsby
wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff
Gamsby
>>>>>>>>>>>>> Center
for X-Ray Optics
>>>>>>>>>>>>>
Lawrence Berkeley National Laboratory
>>>>>>>>>>>>> (510)
486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard
Megginson wrote:
>>>>>>>>>>>>>>
Jeff Gamsby wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
Jeff Gamsby
>>>>>>>>>>>>>>>
Center for X-Ray Optics
>>>>>>>>>>>>>>>
Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>>
(510) 486-7783
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
Richard Megginson wrote:
>>>>>>>>>>>>>>>
> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>
>> I am trying to get FDS 1.0.2 working in SSL mode. I
am 
>>>>>>>>>>>>>>>
>> using a OpenSSL CA, I have installed the Server
Cert 
>>>>>>>>>>>>>>>
>> and the CA Cert, can start FDS in SSL mode, but
when I 
>>>>>>>>>>>>>>>
>> run
>>>>>>>>>>>>>>>
>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
>>>>>>>>>>>>>>>
>> write:fatal:unknown CA.
>>>>>>>>>>>>>>>
> Did you follow this - 
>>>>>>>>>>>>>>>
> htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>
I did, but that didn't work for me. The only thing that 
>>>>>>>>>>>>>>>
I did this time was generate a request from the
"Manage 
>>>>>>>>>>>>>>>
Certificates", sign the request using my OpenSSL CA,
and 
>>>>>>>>>>>>>>>
install the Server and CA Certs. Then I turned on SSL in 
>>>>>>>>>>>>>>>
the Admin console, and restarted the server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
When I followed the instructions from the link, I 
>>>>>>>>>>>>>>>
couldn't even get FDS to start in SSL mode.
>>>>>>>>>>>>>> One
problem may be that ldapsearch is trying to verify 
>>>>>>>>>>>>>> the
hostname in your server cert, which is the value of 
>>>>>>>>>>>>>> the
cn attribute in the leftmost RDN in your server 
>>>>>>>>>>>>>>
cert's subject DN.  What is the subject DN of your server 
>>>>>>>>>>>>>>
cert?  You can use certutil -L -n Server-Cert as 
>>>>>>>>>>>>>>
specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry.
I missed the -P option.
>>>>>>>>>>>>>
>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server- -n 
>>>>>>>>>>>>>
"server-cert" returns the Subject *CN* as FQDN
of FDS and 
>>>>>>>>>>>>> OpenSSL
CA host (ran on same machine)
>>>>>>>>>>>> Hmm - try
ldapsearch with the -v (or -d?) option to get 
>>>>>>>>>>>> some
debugging info.
>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>
>>>>>>>>>>>>>>>
>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>
>> TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>
> Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>
Yes
>>>>>>>>>>>>>>>
>> TLSREQCERT allow
>>>>>>>>>>>>>>>
>> ssl on
>>>>>>>>>>>>>>>
>> ssl start_tls
>>>>>>>>>>>>>>>
>>
>>>>>>>>>>>>>>>
>> If I run
>>>>>>>>>>>>>>>
>> openssl s_client -connect localhost:636 -showcerts 
>>>>>>>>>>>>>>>
>> -state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>
>>
>>>>>>>>>>>>>>>
>> It looks OK
>>>>>>>>>>>>>>>
>>
>>>>>>>>>>>>>>>
>> Please help
>>>>>>>>>>>>>>>
>>
>>>>>>>>>>>>>>>
>> Thanks
>>>>>>>>>>>>>>>
>>
>>>>>>>>>>>>>>>
>
------------------------------------------------------------
------------ 
>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>
> -- 
>>>>>>>>>>>>>>>
> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
> Fedora-directory-usersredhat.com
>>>>>>>>>>>>>>>
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users 
>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>
>   
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
-- 
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-usersredhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
------------------------------------------------------------
------------ 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>
Fedora-directory-usersredhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>   
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>
Fedora-directory-usersredhat.com
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users 
>>>>>>>>>>>>>
>>>>>>>>>>>>
------------------------------------------------------------
------------ 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>
Fedora-directory-usersredhat.com
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>>>>>>   
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>
Fedora-directory-usersredhat.com
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>>>>
------------------------------------------------------------
------------ 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>
Fedora-directory-usersredhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>
Fedora-directory-usersredhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>>
------------------------------------------------------------
------------ 
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>> Fedora-directory-usersredhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing
list
>>>>>>> Fedora-directory-usersredhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>
------------------------------------------------------------
------------ 
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-usersredhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-usersredhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
------------------------------------------------------------
------------ 
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-usersredhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
------------------------------------------------------------
------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users

TLS trace: SSL3 alert write:fatal:unknown CA

Thread: TLS trace: SSL3 alert write:fatal:unknown CA