On Tue, Feb 12, 2008 at 02:55:32PM -0800, Richard A Nelson wrote:
> On Tue, 12 Feb 2008, Andrew Reid wrote:
>
> >>Since the message deals with the peer certificate, you need
> >>to verify not the local cacert certificate - but the LDAP server
> >>certificate itself.
[etc.]
> Rats... I had hoped the command would say that one (or both) of your
> server certificates were expired - but it doesn't even show the
> certificate lifetimes :(
>
> > Hope this helps. Please feel free to make educational comments
> >about how SSL is supposed to work along the way.
>
> s/educational comments/wild gueses/
>
> I'm down to using
> openssl x509 -text -in <certificate>
> on both the server certificate, and its signer - if it is not the
> same as your local CA certificate you already validated
Well, this turns out to be informative -- having been clued-in
that there are, in fact, two certificates, I've checked the other
one, and it is indeed expired.
I'm still perplexed as to why this set-up works for the
other systems -- my attention was focussed on the "lenny" client
because it was system on which things failed. I shall dig around
some more.
-- A.
--
Dr. Andrew C. E. Reid
Computer Operations Administrator
Center for Theoretical and Computational Materials Science
National Institute of Standards and Technology, Mail Stop 8910
Gaithersburg MD 20899 USA
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]