rlm_ldap TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..

Reyor, William F. wreyor at fairfield.edu
Mon Nov 28 19:19:27 CET 2016


There in lines the trouble. How do  I get the LDAP module to trust a 
certificate?

-----Original Message-----
From: Freeradius-Users 
[mailto:freeradius-users-bounces+wreyor=fairfield.edu at lists.freeradius.org] On 
Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Monday, November 28, 2016 11:56 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: rlm_ldap TLS: can't connect: TLS error -8172:Peer's certificate 
issuer has been marked as not trusted by the user..

Hi,
> Has anyone run into this issue on rhel 7? If I test unencrypted I can
> authenticate against ldap without issue. However if I set
> /etc/raddb/mods-enabled/ldap to use port 636 (encrypted) I receive the
> following certificate error.
>
> rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap):
> Connecting to authdir.fairfield.edu:636
> TLS: certificate [CN=AddTrust External CA Root,OU=AddTrust External
> TTP Network,O=AddTrust AB,C=SE] is not valid - error -8172:Peer's
> certificate issuer has been marked as not trusted by the user..
> TLS: error: connect - force handshake failure: errno 21 - moznss error
> -8172
> TLS: can't connect: TLS error -8172:Peer's certificate issuer has been
> marked as not trusted by the user..

well, you've asked to connect securely...but you havent configured your client 
to trust the certificate presented by the server - fairly clear from that 
output, yes?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4807 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161128/1ac5e004/attachment.bin>


More information about the Freeradius-Users mailing list