[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!



On Mon, Jul 28, 2008 at 11:55:28AM -0700, Quanah Gibson-Mount wrote:
> --On Monday, July 28, 2008 11:30 AM -0700 John Oliver 
> <joliver@john-oliver.net> wrote:
> 
> >On Mon, Jul 28, 2008 at 09:20:23AM +0200, Buchan Milne wrote:
> >>Or, ensure that the "CA certificate" that the clients use contains the
> >>certificates of the issuer of both of the server certificates, and that
> >>the  value of the subject CN on both certificates matches the name you
> >>use to  connect to the servers.
> >
> >I've tried:
> >
> >openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
> >server.pem -days 3650
> 
> This generates a self-signed cert without a CA.  That's part of the root of 
> your problem.  By your own email, you have no concept of how SSL signing 
> and authority works.  Yet you reject the advice that's been given out of 
> hand.  Go back to the link I sent you, and set up your certs correctly, 
> which a valid self-generated CA, or do as others have suggested, stop using 
> SSL until you understand how it works.

I'm sorry, I'll try to be clearer.  You're absolutely right in that I
don't understand the intricacies of SSL.  I fully understand that's a
big part of the problem.  But the issue in front of me is that I have a
current setup that works.  I'm trying to get that same functionality out
of a second server.  You seem to be saying that self-signed certificates
just will not work, but that clearly isn't the case... the currently working
system uses a self-signed cert, and works perfectly.  I understand
that's far from ideal.  But authentication *works*.  At some point, when
I have time, I'd love to learn enough about this to create a working CA,
and generate certificates with it, and do everything "right".  But if I
try to do this "right", right now, I'm far more likely to wind up with
no working authentication at all.


-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************