Comments below. -----Original Message----- From: dev-tech-crypto-bounces+rodney.simioni=verio....@lists.mozilla.org [mailto:dev-tech-crypto-bounces+rodney.simioni=verio.net@lists.mozilla.o rg] On Behalf Of Robert Relyea Sent: Thursday, June 20, 2013 7:16 PM To: dev-tech-crypto@lists.mozilla.org; Elio Maldonado Subject: Re: moznss error -8172
On 06/20/2013 02:56 PM, Rodney Simioni wrote: > I'm trying to setup LDAP/SSL/TLS. Somebody told me that PKCS is a > moznss issue and I should ask this question with you guys and not the > openssl group. What OS are you running? I does look like you are using NSS.. [[Rod's comment]] Red Hat 6.4 > > > > TLS: certdb config: configDir='/etc/openldap/cacerts/' > tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly > > TLS: cannot open certdb '/etc/openldap/cacerts/', error -8018:Unknown > PKCS #11 error. Here it looks like it's trying to open NSS databases located in /etc/openldap/cacerts. Since it doesn't actually fail here, I presume that it's now falling back to something else, so I don't think this is necessarily your problem. [[Rod's comment]] Thanks. > > TLS: loaded CA certificate file /etc/openldap/cacerts//5e5a5bcb.0 from > CA certificate directory /etc/openldap/cacerts/. I'm guessing it using libpem here to load the openldap certificate. It seems to indicate that this was successful. [[Rod's comment]] Agreed. > > TLS: certificate > [E=s...@stuff.com,CN=fl1-lsh99apa007.securesites.com,OU=shit,O=Verio,L > =B oca,ST=Florida,C=US] is not valid - error -8172:Peer's certificate > issuer has been marked as not trusted by the user.. > > TLS: error: connect - force handshake failure: errno 0 - moznss error > -8172 > > TLS: can't connect: TLS error -8172:Peer's certificate issuer has been > marked as not trusted by the user.. > > ldap_err2string > > ldap_start_tls: Connect error (-11) > > additional info: TLS error -8172:Peer's certificate issuer > has been marked as not trusted by the user. This means that the given cert wasn't signed by any trusted certificate. [[Rod's comment]] Can I sign it by using the CA I downloaded from Geotrust? This could be because the certificate is was not found in /etc/openldap/cacerts/53515bcb.0, or that the libpem decided not to trust the cert found in this location. > > > > Any help will be greatly appreciated. I'm guessing that you are running on some version of RHEL or Fedora. Can you say which one? [[Rod's comment]] Red Hat 6.4 Thanks, bob > > > > Rod > > This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
