Hello all, solved this: [root@host html]# cd /etc/openldap/cacerts/ [root@host cacerts]# certutil -A -n "<insert cert nick here>" -t PC -i /etc/openldap/cacerts/<certname>.pem -d . [root@host cacerts]# chmod +r *.db [root@host cacerts]# ls -la total 108 drwxr-xr-x. 2 root root 4096 Sep 2 15:08 . drwxr-xr-x. 5 root root 4096 Sep 2 14:00 .. lrwxrwxrwx 1 root root 10 Sep 1 16:20 <certhash>.0 -> <certname>.pem -rw-r--r-- 1 root root 65536 Sep 2 15:08 cert8.db -rw-r--r-- 1 root root 16384 Sep 2 15:08 key3.db -rw-r--r-- 1 root root 16384 Sep 2 15:08 secmod.db -rw-r--r-- 1 root root 1155 Sep 1 11:34 <certname>.pem [root@host cacerts]# /etc/init.d/httpd restart
This will add the missing dbs and should work. This was also on a SL6.1 server. Christopher Tooley ctoo...@uvic.ca Systems, HEP/Astronomy UVic On 2011-09-02, at 2:18 PM, Christopher Tooley wrote: > Hello all again, > > So, looking through the source of the openldap TLS stuff, I've found where > the message is happening: > http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_m.c;h=c85d322014fa838341f3fefdea9a5f693fadc079;hb=f7a0fc9f8b7fa9cfecd6a075b2867abd149dd0de#l1669 > > according to a comment a couple of lines up: > "/* no moznss db found, or not using moznss db */" > > I have also done an strace on apache, here are the (I think) most relevant > parts: > -------------------------------------------------------------------------------- > stat("/etc/openldap/cacerts/secmod.db", 0x7fffe681c1c0) = -1 ENOENT (No such > file or directory) > open("/etc/openldap/cacerts/secmod.db", O_RDONLY) = -1 ENOENT (No such file > or directory) > stat("/etc/openldap/cacerts/cert8.db", 0x7fffe681c580) = -1 ENOENT (No such > file or directory) > open("/etc/openldap/cacerts/cert8.db", O_RDONLY) = -1 ENOENT (No such file or > directory) > stat("/etc/openldap/cacerts/cert7.db", 0x7fffe681c5b0) = -1 ENOENT (No such > file or directory) > open("/etc/openldap/cacerts/cert7.db", O_RDONLY) = -1 ENOENT (No such file or > directory) > open("/pkcs11.txt", O_RDONLY) = -1 ENOENT (No such file or > directory) > access("/secmod.db", F_OK) = -1 ENOENT (No such file or > directory) > stat("/key3.db", 0x7fffe681c590) = -1 ENOENT (No such file or > directory) > open("/key3.db", O_RDONLY) = -1 ENOENT (No such file or > directory) > write(2, "TLS: could not initialize moznss"..., 68) = 68 > write(2, "TLS: could perform TLS system in"..., 46) = 46 > write(2, "TLS: error: could not initialize"..., 91) = 91 > write(2, "TLS: can't create ssl handle.\n", 30) = 30 > write(2, "ldap_err2string\n", 16) = 16 > write(2, "[Fri Sep 02 13:57:00 2011] [erro"..., 175) = 175 > write(2, "ldap_err2string\n", 16) = 16 > ----------------------------------------------------------------------------------- > > So, it's looking for certs but I don't have those installed - nor do I think > I should, as I think moznss is *supposed* to be a drop in replacement for > openssl afaik. How do I get apache/php to act like a proper ldap query agent > and just use the .pem file located in /etc/openldap/cacerts/? > > I have a .pem file located in /etc/openldap/cacerts/<certname>.pem that seems > to work fine with like every other LDAPS query I do...?? :\ > > Thanks for any help! > > -Chris