Hello Guys,
I have configured the openldap directory server , now i'm trying to login the test user via client machine , I'm facing the below error message from /var/log/messages
can any one help to get away from the below error .
localhost sssd [be[default]] :Could not start TLS encryption. TLS error -1872 : Peer's certificate issuer has been marked as not trusted by the user.
Thanks & Regards
Golden John S
Could not start TLS encryption
Re: Could not start TLS encryption
That just means that the certificate presented is NOT trusted by your certificate store, so it's pointless setting up a SSL transaction. Either add the CA's certificate (of the CA whom minted the certificate) or run LDAP without the certificate trust bit (if you can, you may not be able to as it is a bad idea from a security perspective).
If it's a self signed certificate, google for self signed certificate and openldap.
If it's a self signed certificate, google for self signed certificate and openldap.
Re: Could not start TLS encryption
Self signed certificated are created without any issues, But the problem shown in : /var/log/messages/
Could not start TLS encryption. TLS error -8172: Peers's certificate issuer has been marked as not trusted by the user.
kindly give some remedy .
Could not start TLS encryption. TLS error -8172: Peers's certificate issuer has been marked as not trusted by the user.
kindly give some remedy .
Re: Could not start TLS encryption
You have to add the CA certificate that signed the LDAP server's cert to the client. The default location is in /etc/openldap/certs so copy your CA cert in there and then you have to create a symlink to it that is named after the c_hash of the cert. Run /etc/pki/tls/misc/c_hash /etc/openldap/certs/ca.crt and it will tell you an 8 digit hex number and you have to create a symlink called that 8 digit number.0 pointing to the ca.crt file.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Could not start TLS encryption
when i try to put the above command its showing the below error,
Error opening Certificate /etc/openldap/certs/ca.crt
139995926329160:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/openldap/certs/ca.crt','r')
139995926329160:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
.0 => /etc/openldap/certs/ca.crt
can you give some remedy .
Error opening Certificate /etc/openldap/certs/ca.crt
139995926329160:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/openldap/certs/ca.crt','r')
139995926329160:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
.0 => /etc/openldap/certs/ca.crt
can you give some remedy .
Re: Could not start TLS encryption
Did you copy your CA cert into that directory first? Did you call it the same name as the example I used in the command?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Could not start TLS encryption
Have you checked permissions and/or selinux contexts on the file?