Le 30/04/2019 à 15:50, Soisik Froger a écrit :
On 30/04/2019 15:17, Julien TEHERY wrote:
Ok.
Actually I don't have a problem with the destination certificate (the
servers which runs lsc itself)
Both LSC connectors (remote source and local destination) are well
configured with FQDNs (which matches CNs in SSL certificates)
I'm confused because the original error message showed an IP address, could you
send the error message you're getting now, since you say you are now using FQDN
to configure URL, the error should look different, at least not showing an IP
address ?
Also, what do you mean exactly by "I imported the certificate exactly as i did in
/etc/ssl/certs/java/cacerts".
If it is a self-signed certificate, you need to get the CA root certificate
that was used to sign the server certificate (this is the file that was given
to the openssl command under the -CA option when the certificate was created)
and import it in the keystore (not copy it in a folder) using instructions
https://lsc-project.org/documentation/howto/ssltls#global_uselsc_will_use_system-wide_jvm_truststore.
Regards
yes you're right, that's becaus i tried several setups :)
Now I have:
avr. 30 15:54:30 - ERROR - org.lsc.exception.LscConfigurationException:
Configuration exception: javax.naming.CommunicationException: simple
bind failed: myserver.mydomain.lan:636 [Root exception is
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No name matching
myserver.mydomain.lan found]
Certificates have been imported with:
For Samba4 (destination)
keytool -import -storepass changeit -noprompt -file
/var/lib/samba/private/tls/ca.pem -keystore cacerts
=> This certificate is generated automatically with samba4 installer and
works perfectly
For Remote LDAP (source)
keytool -import -alias myserver.mydomain.lan -storepass changeit
-noprompt -file /tmp/cacert.pem -keystore cacerts
=> This certificate is a self-signed certificate provided by a customer,
i contains a CN which seems to be valid but doesn't contain a SAN, which
i suppose is mandatory. ?
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
