Home

Results 1 to 10 of 10

Thread: ldap: transient SSL_CTX_use_KMO failed. Error stack:

Threaded View

  1. #1
    Join Date
    Oct 2007
    Location
    Innsbruck, Austria
    Posts
    133

    ldap: transient SSL_CTX_use_KMO failed. Error stack:

    battle to get ldap use a new certificate (edir 9.0.3)

    wanted to throw in what cost me some time to get it done, maybe somebody can guess
    what's might be the issue here, because this made no sense to me.

    several applications authenticate against our edirectory infrastructure through
    ldap. the certificate ldap is using has SANs defined, to be able to talk to the
    'address' the server by using an dns-alias. the alias has an '_' (underscore) in
    its name. a new java application did not like that (even it should be legal by
    dns-specification for some years now), so i wanted to quickly fix that
    by adding an additional dns-alias without an underscore. then create a new certificate
    having those in the SAN attribute as well.

    unfortunately the ldap-interface refused to work with that one (i did make the private key
    exportable, as i had issues with that in the past: https://forums.novell.com/showthread...45#post2461545)

    tracing pki / ldap said:
    ----------------------
    09:34:17 1BC0 LDAP: LDAP Agent for NetIQ eDirectory 9.0.3 (40005.15) started
    09:34:17 1BC0 LDAP: Updating server configuration
    09:34:17 1BC0 LDAP: Work info status: Total:2 Peak:2 Busy:0
    09:34:17 884 LDAP: Listener applying new configuration
    09:34:17 884 LDAP: LDAPURL: ldap://:389
    09:34:17 884 LDAP: LDAPURL: ldaps://:636
    09:34:17 884 LDAP: Listener setting up cleartext port 389
    09:34:17 884 LDAP: Listener setting up TLS port 636
    09:34:17 884 LDAP: SSLv3 disabled for secure LDAP connections.
    09:34:17 884 LDAP: TLS MEDIUM ciphers or higher required for TLS connections
    09:34:17 884 LDAP: TLS initialization successfully completed
    09:34:17 884 PKIAPI: NPKIGetServerKMOInfo called
    09:34:17 884 PKIAPI: NPKIGetServerKMOInfo exiting with -1219
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - begin
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - Context Freed
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - calling delete
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - calling DDCFreeContext
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - end
    09:34:17 884 LDAP: SSL_CTX_use_KMO failed. Error stack:
    09:34:17 884 PKIAPI: NPKIGetServerKMOInfo called
    09:34:17 884 PKIAPI: NPKIGetServerKMOInfo exiting with -1219
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - begin
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - Context Freed
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - calling delete
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - calling DDCFreeContext
    09:34:17 884 PKIAPI: libnpkiapi ~NPKI - destructor - end
    09:34:17 884 LDAP: SSL_CTX_use_KMO failed. Error stack:
    09:34:17 884 LDAP: Disabling TLS services because of configuration failure
    09:34:17 884 LDAP: Listener closing TLS port 636
    09:34:17 884 LDAP: LDAPURL: ldap://:389
    09:34:17 884 LDAP: LDAPURL: ldaps://:636
    09:34:17 884 LDAP: LDAPURL: ldap://:389
    09:34:17 884 LDAP: LDAPURL: ldaps://:636
    09:34:17 884 LDAP: Adding SASL module dependencies
    09:34:17 884 LDAP: SASL initialized successfully
    09:34:17 884 LDAP: SASL configured successfully
    ....
    ----------------------

    fiddled around recreated the certificate several times, no chance to get that working.
    i think the line PKIAPI: NPKIGetServerKMOInfo exiting with -1219 from trace indicates a
    problem with getting the kmo (the object did exist, i checked ..).
    see: getServerKMOInfo in https://www.novell.com/documentation...%20int,%20byte[][],%20java.lang.Integer,%20java.lang.Integer,%20byte[][],%20java.lang.Integer,%20byte[][])

    since the old certificate was named mycompany_myedirectory_LDAPCert and the new one
    mycompany_myedirectory_LDAPSCert i supposed this might (out of desparation) be a
    parsing error or a too long name. made a new certificate with the same options named
    something the lines of 'mycert'. used that for ldap and it worked. made a new certificate
    named with exactly the same number of letters as the (originally wanted) name and it worked.
    made a new certificate with the name i wanted to have in the first place. and it worked.

    i do not understand why it did not work in the first place, any theory is welcome (i
    will have to do the same in production, and i'd be interested in every obscure theory
    to avoid multiple attempts to get ldap up and running with a new cert.

    thanks, florian
    Last edited by florianz; 16-May-2019 at 01:05 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •